Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 48a63ed94c47e97c4016dfba0f61b044225b3432 / . / src / session_server_tls.c
blob: 62b789fce0d65ffdbe083b43f5cb3f2defa0c16e [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]2 * \file session_server_tls.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]8 * This source code is licensed under BSD 3-Clause License (the "License").
9 * You may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]11 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]12 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]13 */
14
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]15#define _GNU_SOURCE
16
17#include <string.h>
18#include <poll.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]19#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]20
21#include <openssl/ssl.h>
22#include <openssl/evp.h>
23#include <openssl/err.h>
24#include <openssl/x509v3.h>
25
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]26#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]27#include "session_server_ch.h"
28#include "libnetconf.h"
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]29
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]30struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]31pthread_mutex_t tls_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]32extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]33
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]34static pthread_key_t verify_key;
35static pthread_once_t verify_once = PTHREAD_ONCE_INIT;
36
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]37static char *
38asn1time_to_str(ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]39{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]40 char *cp;
41 BIO *bio;
42 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]43
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]44 if (!t) {
45 return NULL;
46 }
47 bio = BIO_new(BIO_s_mem());
48 if (!bio) {
49 return NULL;
50 }
51 ASN1_TIME_print(bio, t);
52 n = BIO_pending(bio);
53 cp = malloc(n + 1);
54 n = BIO_read(bio, cp, n);
55 if (n < 0) {
56 BIO_free(bio);
57 free(cp);
58 return NULL;
59 }
60 cp[n] = '\0';
61 BIO_free(bio);
62 return cp;
63}
64
65static void
66digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
67{
68 unsigned int i;
69
70 *str = malloc(dig_len * 3);
71 for (i = 0; i < dig_len - 1; ++i) {
72 sprintf((*str) + (i * 3), "%02x:", digest[i]);
73 }
74 sprintf((*str) + (i * 3), "%02x", digest[i]);
75}
76
77/* return NULL - SSL error can be retrieved */
78static X509 *
79base64der_to_cert(const char *in)
80{
81 X509 *out;
82 char *buf;
83 BIO *bio;
84
85 if (in == NULL) {
86 return NULL;
87 }
88
89 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
90 return NULL;
91 }
92 bio = BIO_new_mem_buf(buf, strlen(buf));
93 if (!bio) {
94 free(buf);
95 return NULL;
96 }
97
98 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
99 if (!out) {
100 free(buf);
101 BIO_free(bio);
102 return NULL;
103 }
104
105 free(buf);
106 BIO_free(bio);
107 return out;
108}
109
110/* return NULL - either errno or SSL error */
111static X509 *
112pem_to_cert(const char *path)
113{
114 FILE *fp;
115 X509 *out;
116
117 fp = fopen(path, "r");
118 if (!fp) {
119 return NULL;
120 }
121
122 out = PEM_read_X509(fp, NULL, NULL, NULL);
123 fclose(fp);
124 return out;
125}
126
127static EVP_PKEY *
128base64der_to_privatekey(const char *in, int rsa)
129{
130 EVP_PKEY *out;
131 char *buf;
132 BIO *bio;
133
134 if (in == NULL) {
135 return NULL;
136 }
137
138 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----\n", in, "\n-----END ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----") == -1) {
139 return NULL;
140 }
141 bio = BIO_new_mem_buf(buf, strlen(buf));
142 if (!bio) {
143 free(buf);
144 return NULL;
145 }
146
147 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
148 if (!out) {
149 free(buf);
150 BIO_free(bio);
151 return NULL;
152 }
153
154 free(buf);
155 BIO_free(bio);
156 return out;
157}
158
159static int
160cert_pubkey_match(X509 *cert1, X509 *cert2)
161{
162 ASN1_BIT_STRING *bitstr1, *bitstr2;
163
164 bitstr1 = X509_get0_pubkey_bitstr(cert1);
165 bitstr2 = X509_get0_pubkey_bitstr(cert2);
166
167 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
168 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
169 return 0;
170 }
171
172 return 1;
173}
174
175static int
176nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
177{
178 STACK_OF(GENERAL_NAME) *san_names;
179 GENERAL_NAME *san_name;
180 ASN1_OCTET_STRING *ip;
181 int i, san_count;
182 char *subject, *common_name;
183
184 if (map_type == NC_TLS_CTN_COMMON_NAME) {
185 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
186 common_name = strstr(subject, "CN=");
187 if (!common_name) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]188 WRN("Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]189 free(subject);
190 return 1;
191 }
192 common_name += 3;
193 if (strchr(common_name, '/')) {
194 *strchr(common_name, '/') = '\0';
195 }
196 *username = strdup(common_name);
197 free(subject);
198 } else {
199 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
200 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
201 if (!san_names) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]202 WRN("Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]203 return 1;
204 }
205
206 san_count = sk_GENERAL_NAME_num(san_names);
207 for (i = 0; i < san_count; ++i) {
208 san_name = sk_GENERAL_NAME_value(san_names, i);
209
210 /* rfc822Name (email) */
211 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_RFC822_NAME) &&
212 san_name->type == GEN_EMAIL) {
213 *username = strdup((char *)ASN1_STRING_data(san_name->d.rfc822Name));
214 break;
215 }
216
217 /* dNSName */
218 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_DNS_NAME) &&
219 san_name->type == GEN_DNS) {
220 *username = strdup((char *)ASN1_STRING_data(san_name->d.dNSName));
221 break;
222 }
223
224 /* iPAddress */
225 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_IP_ADDRESS) &&
226 san_name->type == GEN_IPADD) {
227 ip = san_name->d.iPAddress;
228 if (ip->length == 4) {
229 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]230 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]231 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
232 return -1;
233 }
234 break;
235 } else if (ip->length == 16) {
236 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
237 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
238 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
239 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]240 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]241 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
242 return -1;
243 }
244 break;
245 } else {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]246 WRN("SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]247 }
248 }
249 }
250 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
251
252 if (i < san_count) {
253 switch (map_type) {
254 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]255 WRN("Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]256 break;
257 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]258 WRN("Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]259 break;
260 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]261 WRN("Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]262 break;
263 case NC_TLS_CTN_SAN_ANY:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]264 WRN("Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]265 break;
266 default:
267 break;
268 }
269 return 1;
270 }
271 }
272
273 return 0;
274}
275
276/* return: 0 - OK, 1 - no match, -1 - error */
277static int
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]278nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]279{
280 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
281 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]282 unsigned char *buf = malloc(64);
283 unsigned int buf_len = 64;
284 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]285 struct nc_ctn *ctn;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]286
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]287 if (!ctn_first || !cert || !map_type || !name) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]288 free(buf);
289 return -1;
290 }
291
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]292 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]293 /* MD5 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]294 if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]295 if (!digest_md5) {
296 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]297 ERR("Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]298 ret = -1;
299 goto cleanup;
300 }
301 digest_to_str(buf, buf_len, &digest_md5);
302 }
303
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]304 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]305 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]306 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]307 *map_type = ctn->map_type;
308 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
309 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]310 }
311 break;
312 }
313
314 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]315 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]316 if (!digest_sha1) {
317 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]318 ERR("Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]319 ret = -1;
320 goto cleanup;
321 }
322 digest_to_str(buf, buf_len, &digest_sha1);
323 }
324
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]325 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]326 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]327 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]328 *map_type = ctn->map_type;
329 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
330 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]331 }
332 break;
333 }
334
335 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]336 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]337 if (!digest_sha224) {
338 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]339 ERR("Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]340 ret = -1;
341 goto cleanup;
342 }
343 digest_to_str(buf, buf_len, &digest_sha224);
344 }
345
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]346 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]347 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]348 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]349 *map_type = ctn->map_type;
350 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
351 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]352 }
353 break;
354 }
355
356 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]357 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]358 if (!digest_sha256) {
359 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]360 ERR("Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]361 ret = -1;
362 goto cleanup;
363 }
364 digest_to_str(buf, buf_len, &digest_sha256);
365 }
366
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]367 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]368 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]369 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]370 *map_type = ctn->map_type;
371 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
372 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]373 }
374 break;
375 }
376
377 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]378 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]379 if (!digest_sha384) {
380 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]381 ERR("Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]382 ret = -1;
383 goto cleanup;
384 }
385 digest_to_str(buf, buf_len, &digest_sha384);
386 }
387
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]388 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]389 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]390 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]391 *map_type = ctn->map_type;
392 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
393 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]394 }
395 break;
396 }
397
398 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]399 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]400 if (!digest_sha512) {
401 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]402 ERR("Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]403 ret = -1;
404 goto cleanup;
405 }
406 digest_to_str(buf, buf_len, &digest_sha512);
407 }
408
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]409 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]410 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]411 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]412 *map_type = ctn->map_type;
413 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
414 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]415 }
416 break;
417 }
418
419 /* unknown */
420 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]421 WRN("Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]422 }
423 }
424
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]425 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]426 ret = 1;
427 }
428
429cleanup:
430 free(digest_md5);
431 free(digest_sha1);
432 free(digest_sha224);
433 free(digest_sha256);
434 free(digest_sha384);
435 free(digest_sha512);
436 free(buf);
437 return ret;
438}
439
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]440static int
441nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
442{
443 X509_STORE_CTX store_ctx;
444 X509_OBJECT obj;
445 X509_NAME *subject;
446 X509_NAME *issuer;
447 X509 *cert;
448 X509_CRL *crl;
449 X509_REVOKED *revoked;
450 STACK_OF(X509) *cert_stack;
451 EVP_PKEY *pubkey;
452 struct nc_session* session;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]453 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]454 long serial;
455 int i, n, rc, depth;
456 char *cp;
457 const char *username = NULL;
458 NC_TLS_CTN_MAPTYPE map_type = 0;
459 ASN1_TIME *last_update = NULL, *next_update = NULL;
460
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]461 /* get the thread session */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]462 session = pthread_getspecific(verify_key);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]463 if (!session) {
464 ERRINT;
465 return 0;
466 }
467
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]468 opts = session->data;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]469
470 /* get the last certificate, that is the peer (client) certificate */
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]471 if (!session->tls_cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]472 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
473 /* TODO all that is needed, but function X509_up_ref not present in older OpenSSL versions
474 session->cert = sk_X509_value(cert_stack, sk_X509_num(cert_stack) - 1);
475 X509_up_ref(session->cert);
476 sk_X509_pop_free(cert_stack, X509_free); */
477 while ((cert = sk_X509_pop(cert_stack))) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]478 X509_free(session->tls_cert);
479 session->tls_cert = cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]480 }
481 sk_X509_pop_free(cert_stack, X509_free);
482 }
483
484 /* standard certificate verification failed, so a trusted client cert must match to continue */
485 if (!preverify_ok) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]486 subject = X509_get_subject_name(session->tls_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]487 cert_stack = X509_STORE_get1_certs(x509_ctx, subject);
488 if (cert_stack) {
489 for (i = 0; i < sk_X509_num(cert_stack); ++i) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]490 if (cert_pubkey_match(session->tls_cert, sk_X509_value(cert_stack, i))) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]491 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
492 * this callback will be called again with the same current certificate and preverify_ok == 1 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]493 VRB("Cert verify: fail (%s), but the client certificate is trusted, continuing.",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]494 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
495 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
496 sk_X509_pop_free(cert_stack, X509_free);
497 return 1;
498 }
499 }
500 sk_X509_pop_free(cert_stack, X509_free);
501 }
502
503 ERR("Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
504 return 0;
505 }
506
507 /* print cert verify info */
508 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]509 VRB("Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]510
511 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
512 subject = X509_get_subject_name(cert);
513 issuer = X509_get_issuer_name(cert);
514
515 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]516 VRB("Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]517 OPENSSL_free(cp);
518 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]519 VRB("Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]520 OPENSSL_free(cp);
521
522 /* check for revocation if set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]523 if (opts->crl_store) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]524 /* try to retrieve a CRL corresponding to the _subject_ of
525 * the current certificate in order to verify it's integrity */
526 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]527 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]528 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
529 X509_STORE_CTX_cleanup(&store_ctx);
530 crl = obj.data.crl;
531 if (rc > 0 && crl) {
532 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]533 VRB("Cert verify CRL: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]534 OPENSSL_free(cp);
535
536 last_update = X509_CRL_get_lastUpdate(crl);
537 next_update = X509_CRL_get_nextUpdate(crl);
538 cp = asn1time_to_str(last_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]539 VRB("Cert verify CRL: last update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]540 free(cp);
541 cp = asn1time_to_str(next_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]542 VRB("Cert verify CRL: next update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]543 free(cp);
544
545 /* verify the signature on this CRL */
546 pubkey = X509_get_pubkey(cert);
547 if (X509_CRL_verify(crl, pubkey) <= 0) {
548 ERR("Cert verify CRL: invalid signature.");
549 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
550 X509_OBJECT_free_contents(&obj);
551 if (pubkey) {
552 EVP_PKEY_free(pubkey);
553 }
554 return 0;
555 }
556 if (pubkey) {
557 EVP_PKEY_free(pubkey);
558 }
559
560 /* check date of CRL to make sure it's not expired */
561 if (!next_update) {
562 ERR("Cert verify CRL: invalid nextUpdate field.");
563 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
564 X509_OBJECT_free_contents(&obj);
565 return 0;
566 }
567 if (X509_cmp_current_time(next_update) < 0) {
568 ERR("Cert verify CRL: expired - revoking all certificates.");
569 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
570 X509_OBJECT_free_contents(&obj);
571 return 0;
572 }
573 X509_OBJECT_free_contents(&obj);
574 }
575
576 /* try to retrieve a CRL corresponding to the _issuer_ of
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]577 * the current certificate in order to check for revocation */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]578 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]579 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]580 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
581 X509_STORE_CTX_cleanup(&store_ctx);
582 crl = obj.data.crl;
583 if (rc > 0 && crl) {
584 /* check if the current certificate is revoked by this CRL */
585 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
586 for (i = 0; i < n; i++) {
587 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
588 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
589 serial = ASN1_INTEGER_get(revoked->serialNumber);
590 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]591 ERR("Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.", serial, serial, cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]592 OPENSSL_free(cp);
593 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
594 X509_OBJECT_free_contents(&obj);
595 return 0;
596 }
597 }
598 X509_OBJECT_free_contents(&obj);
599 }
600 }
601
602 /* cert-to-name already successful */
603 if (session->username) {
604 return 1;
605 }
606
607 /* cert-to-name */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]608 rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]609
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]610 if (rc) {
611 if (rc == -1) {
612 /* fatal error */
613 depth = 0;
614 }
615 /* rc == 1 is a normal CTN fail (no match found) */
616 goto fail;
617 }
618
619 /* cert-to-name match, now to extract the specific field from the peer cert */
620 if (map_type == NC_TLS_CTN_SPECIFIED) {
621 session->username = lydict_insert(server_opts.ctx, username, 0);
622 } else {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]623 rc = nc_tls_ctn_get_username_from_cert(session->tls_cert, map_type, &cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]624 if (rc) {
625 if (rc == -1) {
626 depth = 0;
627 }
628 goto fail;
629 }
630 session->username = lydict_insert_zc(server_opts.ctx, cp);
631 }
632
633 VRB("Cert verify CTN: new client username recognized as \"%s\".", session->username);
634 return 1;
635
636fail:
637 if (depth > 0) {
638 VRB("Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
639 return 1;
640 }
641
642 VRB("Cert-to-name unsuccessful, dropping the new client.");
643 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
644 return 0;
645}
646
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]647API int
648nc_server_tls_add_endpt_listen(const char *name, const char *address, uint16_t port)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]649{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]650 return nc_server_add_endpt_listen(name, address, port, NC_TI_OPENSSL);
651}
652
653API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]654nc_server_tls_endpt_set_address(const char *endpt_name, const char *address)
655{
656 return nc_server_endpt_set_address_port(endpt_name, address, 0, NC_TI_OPENSSL);
657}
658
659API int
660nc_server_tls_endpt_set_port(const char *endpt_name, uint16_t port)
661{
662 return nc_server_endpt_set_address_port(endpt_name, NULL, port, NC_TI_OPENSSL);
663}
664
665API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]666nc_server_tls_del_endpt(const char *name)
667{
668 return nc_server_del_endpt(name, NC_TI_OPENSSL);
669}
670
671static int
672nc_server_tls_set_cert(const char *cert, struct nc_server_tls_opts *opts)
673{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]674 X509 *x509_cert;
675
676 if (!cert) {
677 ERRARG;
678 return -1;
679 }
680
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]681 if (!opts->tls_ctx) {
682 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
683 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]684 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]685 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]686 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]687 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]688 }
689
690 x509_cert = base64der_to_cert(cert);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]691 if (!x509_cert || (SSL_CTX_use_certificate(opts->tls_ctx, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]692 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]693 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]694 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]695 }
696 X509_free(x509_cert);
697
698 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]699
700fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]701 return -1;
702}
703
704API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]705nc_server_tls_endpt_set_cert(const char *endpt_name, const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]706{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]707 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]708 struct nc_endpt *endpt;
709
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]710 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]711 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]712 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]713 return -1;
714 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]715 ret = nc_server_tls_set_cert(cert, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]716 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]717 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]718
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]719 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]720}
721
722API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]723nc_server_tls_ch_set_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]724{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]725 int ret;
726
727 /* OPTS LOCK */
728 pthread_mutex_lock(&tls_ch_opts_lock);
729 ret = nc_server_tls_set_cert(cert, &tls_ch_opts);
730 /* OPTS UNLOCK */
731 pthread_mutex_unlock(&tls_ch_opts_lock);
732
733 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]734}
735
736static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]737nc_server_tls_set_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]738{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]739 if (!cert_path) {
740 ERRARG;
741 return -1;
742 }
743
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]744 if (!opts->tls_ctx) {
745 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
746 if (!opts->tls_ctx) {
747 ERR("Failed to create TLS context.");
748 goto fail;
749 }
750 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
751 }
752
753 if (SSL_CTX_use_certificate_file(opts->tls_ctx, cert_path, SSL_FILETYPE_PEM) != 1) {
754 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
755 goto fail;
756 }
757
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]758 return 0;
759
760fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]761 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]762}
763
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]764API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]765nc_server_tls_endpt_set_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]766{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]767 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]768 struct nc_endpt *endpt;
769
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]770 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]771 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]772 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]773 return -1;
774 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]775 ret = nc_server_tls_set_cert_path(cert_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]776 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]777 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]778
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]779 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]780}
781
782API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]783nc_server_tls_ch_set_cert_path(const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]784{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]785 int ret;
786
787 /* OPTS LOCK */
788 pthread_mutex_lock(&tls_ch_opts_lock);
789 ret = nc_server_tls_set_cert_path(cert_path, &tls_ch_opts);
790 /* OPTS UNLOCK */
791 pthread_mutex_unlock(&tls_ch_opts_lock);
792
793 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]794}
795
796static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]797nc_server_tls_set_key(const char *privkey, int is_rsa, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]798{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]799 EVP_PKEY *key;;
800
801 if (!privkey) {
802 ERRARG;
803 return -1;
804 }
805
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]806 if (!opts->tls_ctx) {
807 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
808 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]809 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]810 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]811 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]812 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]813 }
814
815 key = base64der_to_privatekey(privkey, is_rsa);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]816 if (!key || (SSL_CTX_use_PrivateKey(opts->tls_ctx, key) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]817 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]818 EVP_PKEY_free(key);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]819 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]820 }
821 EVP_PKEY_free(key);
822
823 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]824
825fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]826 return -1;
827}
828
829API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]830nc_server_tls_endpt_set_key(const char *endpt_name, const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]831{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]832 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]833 struct nc_endpt *endpt;
834
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]835 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]836 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]837 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]838 return -1;
839 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]840 ret = nc_server_tls_set_key(privkey, is_rsa, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]841 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]842 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]843
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]844 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]845}
846
847API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]848nc_server_tls_ch_set_key(const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]849{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]850 int ret;
851
852 /* OPTS LOCK */
853 pthread_mutex_lock(&tls_ch_opts_lock);
854 ret = nc_server_tls_set_key(privkey, is_rsa, &tls_ch_opts);
855 /* OPTS UNLOCK */
856 pthread_mutex_unlock(&tls_ch_opts_lock);
857
858 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]859}
860
861static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]862nc_server_tls_set_key_path(const char *privkey_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]863{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]864 if (!privkey_path) {
865 ERRARG;
866 return -1;
867 }
868
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]869 if (!opts->tls_ctx) {
870 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
871 if (!opts->tls_ctx) {
872 ERR("Failed to create TLS context.");
873 goto fail;
874 }
875 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
876 }
877
878 if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, privkey_path, SSL_FILETYPE_PEM) != 1) {
879 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
880 goto fail;
881 }
882
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]883 return 0;
884
885fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]886 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]887}
888
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]889API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]890nc_server_tls_endpt_set_key_path(const char *endpt_name, const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]891{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]892 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]893 struct nc_endpt *endpt;
894
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]895 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]896 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]897 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]898 return -1;
899 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]900 ret = nc_server_tls_set_key_path(privkey_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]901 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]902 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]903
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]904 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]905}
906
907API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]908nc_server_tls_ch_set_key_path(const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]909{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]910 int ret;
911
912 /* OPTS LOCK */
913 pthread_mutex_lock(&tls_ch_opts_lock);
914 ret = nc_server_tls_set_key_path(privkey_path, &tls_ch_opts);
915 /* OPTS UNLOCK */
916 pthread_mutex_unlock(&tls_ch_opts_lock);
917
918 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]919}
920
921static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]922nc_server_tls_add_trusted_cert(const char *cert, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]923{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]924 X509_STORE *cert_store;
925 X509 *x509_cert;
926
927 if (!cert) {
928 ERRARG;
929 return -1;
930 }
931
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]932 if (!opts->tls_ctx) {
933 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
934 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]935 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]936 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]937 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]938 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]939 }
940
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]941 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]942 if (!cert_store) {
943 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]944 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]945 }
946
947 x509_cert = base64der_to_cert(cert);
948 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]949 ERR("Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]950 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]951 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]952 }
953 X509_free(x509_cert);
954
955 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]956
957fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]958 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]959}
960
961API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]962nc_server_tls_endpt_add_trusted_cert(const char *endpt_name, const char *cert)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]963{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]964 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]965 struct nc_endpt *endpt;
966
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]967 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]968 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]969 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]970 return -1;
971 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]972 ret = nc_server_tls_add_trusted_cert(cert, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]973 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]974 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]975
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]976 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]977}
978
979API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]980nc_server_tls_ch_add_trusted_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]981{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]982 int ret;
983
984 /* OPTS LOCK */
985 pthread_mutex_lock(&tls_ch_opts_lock);
986 ret = nc_server_tls_add_trusted_cert(cert, &tls_ch_opts);
987 /* OPTS UNLOCK */
988 pthread_mutex_unlock(&tls_ch_opts_lock);
989
990 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]991}
992
993static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]994nc_server_tls_add_trusted_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]995{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]996 X509_STORE *cert_store;
997 X509 *x509_cert;
998
999 if (!cert_path) {
1000 ERRARG;
1001 return -1;
1002 }
1003
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1004 if (!opts->tls_ctx) {
1005 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1006 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1007 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1008 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1009 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1010 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1011 }
1012
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1013 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1014 if (!cert_store) {
1015 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1016 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1017 }
1018
1019 errno = 0;
1020 x509_cert = pem_to_cert(cert_path);
1021 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1022 ERR("Adding a trusted certificate failed (%s).",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1023 (errno ? strerror(errno) : ERR_reason_error_string(ERR_get_error())));
1024 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1025 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1026 }
1027 X509_free(x509_cert);
1028
1029 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1030
1031fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1032 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1033}
1034
1035API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1036nc_server_tls_endpt_add_trusted_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1037{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1038 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1039 struct nc_endpt *endpt;
1040
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1041 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1042 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1043 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1044 return -1;
1045 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1046 ret = nc_server_tls_add_trusted_cert_path(cert_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1047 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1048 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1049
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1050 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1051}
1052
1053API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1054nc_server_tls_ch_add_trusted_cert_path(const char *cert_path)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1055{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1056 int ret;
1057
1058 /* OPTS LOCK */
1059 pthread_mutex_lock(&tls_ch_opts_lock);
1060 ret = nc_server_tls_add_trusted_cert_path(cert_path, &tls_ch_opts);
1061 /* OPTS UNLOCK */
1062 pthread_mutex_unlock(&tls_ch_opts_lock);
1063
1064 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1065}
1066
1067static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1068nc_server_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1069{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1070 X509_STORE *cert_store;
1071 X509_LOOKUP *lookup;
1072
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1073 if (!ca_file && !ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1074 ERRARG;
1075 return -1;
1076 }
1077
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1078 if (!opts->tls_ctx) {
1079 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1080 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1081 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1082 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1083 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1084 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1085 }
1086
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1087 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1088 if (!cert_store) {
1089 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1090 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1091 }
1092
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1093 if (ca_file) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1094 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file());
1095 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1096 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1097 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1098 }
1099
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1100 if (X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1101 ERR("Failed to add a trusted cert file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1102 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1103 }
1104 }
1105
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1106 if (ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1107 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
1108 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1109 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1110 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1111 }
1112
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1113 if (X509_LOOKUP_add_dir(lookup, ca_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1114 ERR("Failed to add a trusted cert directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1115 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1116 }
1117 }
1118
1119 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1120
1121fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1122 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1123}
1124
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1125API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1126nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1127{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1128 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1129 struct nc_endpt *endpt;
1130
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1131 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1132 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1133 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1134 return -1;
1135 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1136 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1137 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1138 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1139
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1140 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1141}
1142
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1143API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1144nc_server_tls_ch_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1145{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1146 int ret;
1147
1148 /* OPTS LOCK */
1149 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1150 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1151 /* OPTS UNLOCK */
1152 pthread_mutex_unlock(&tls_ch_opts_lock);
1153
1154 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1155}
1156
1157static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1158nc_server_tls_clear_certs(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1159{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1160 if (!opts->tls_ctx) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1161 return;
1162 }
1163
1164 SSL_CTX_free(opts->tls_ctx);
1165 opts->tls_ctx = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1166}
1167
1168API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1169nc_server_tls_endpt_clear_certs(const char *endpt_name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1170{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1171 struct nc_endpt *endpt;
1172
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1173 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1174 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1175 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1176 return;
1177 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1178 nc_server_tls_clear_certs(endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1179 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1180 nc_server_endpt_unlock(endpt);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1181}
1182
1183API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1184nc_server_tls_ch_clear_certs(void)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1185{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1186 /* OPTS LOCK */
1187 pthread_mutex_lock(&tls_ch_opts_lock);
1188 nc_server_tls_clear_certs(&tls_ch_opts);
1189 /* OPTS UNLOCK */
1190 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1191}
1192
1193static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1194nc_server_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1195{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1196 X509_LOOKUP *lookup;
1197
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1198 if (!crl_file && !crl_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1199 ERRARG;
1200 return -1;
1201 }
1202
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1203 if (!opts->crl_store) {
1204 opts->crl_store = X509_STORE_new();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1205 }
1206
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1207 if (crl_file) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1208 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1209 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1210 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1211 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1212 }
1213
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1214 if (X509_LOOKUP_load_file(lookup, crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1215 ERR("Failed to add a revocation lookup file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1216 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1217 }
1218 }
1219
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1220 if (crl_dir) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1221 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1222 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1223 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1224 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1225 }
1226
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1227 if (X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1228 ERR("Failed to add a revocation lookup directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1229 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1230 }
1231 }
1232
1233 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1234
1235fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1236 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1237}
1238
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1239API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1240nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1241{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1242 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1243 struct nc_endpt *endpt;
1244
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1245 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1246 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1247 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1248 return -1;
1249 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1250 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1251 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1252 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1253
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1254 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1255}
1256
1257API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1258nc_server_tls_ch_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1259{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1260 int ret;
1261
1262 /* OPTS LOCK */
1263 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1264 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1265 /* OPTS UNLOCK */
1266 pthread_mutex_unlock(&tls_ch_opts_lock);
1267
1268 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1269}
1270
1271static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1272nc_server_tls_clear_crls(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1273{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1274 if (!opts->crl_store) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1275 return;
1276 }
1277
1278 X509_STORE_free(opts->crl_store);
1279 opts->crl_store = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1280}
1281
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1282API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1283nc_server_tls_endpt_clear_crls(const char *endpt_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1284{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1285 struct nc_endpt *endpt;
1286
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1287 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1288 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1289 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1290 return;
1291 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1292 nc_server_tls_clear_crls(endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1293 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1294 nc_server_endpt_unlock(endpt);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1295}
1296
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1297API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1298nc_server_tls_ch_clear_crls(void)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1299{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1300 /* OPTS LOCK */
1301 pthread_mutex_lock(&tls_ch_opts_lock);
1302 nc_server_tls_clear_crls(&tls_ch_opts);
1303 /* OPTS UNLOCK */
1304 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1305}
1306
1307static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1308nc_server_tls_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1309{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1310 struct nc_ctn *ctn, *new;
1311
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1312 if (!fingerprint || !map_type || ((map_type == NC_TLS_CTN_SPECIFIED) && !name)
1313 || ((map_type != NC_TLS_CTN_SPECIFIED) && name)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1314 ERRARG;
1315 return -1;
1316 }
1317
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1318 new = malloc(sizeof *new);
1319
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1320 new->fingerprint = lydict_insert(server_opts.ctx, fingerprint, 0);
1321 new->name = lydict_insert(server_opts.ctx, name, 0);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1322 new->id = id;
1323 new->map_type = map_type;
1324 new->next = NULL;
1325
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1326 if (!opts->ctn) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1327 /* the first item */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1328 opts->ctn = new;
1329 } else if (opts->ctn->id > id) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1330 /* insert at the beginning */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1331 new->next = opts->ctn;
1332 opts->ctn = new;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1333 } else {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1334 for (ctn = opts->ctn; ctn->next && ctn->next->id <= id; ctn = ctn->next);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1335 /* insert after ctn */
1336 new->next = ctn->next;
1337 ctn->next = new;
1338 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1339
1340 return 0;
1341}
1342
1343API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1344nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1345{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1346 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1347 struct nc_endpt *endpt;
1348
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1349 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1350 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1351 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1352 return -1;
1353 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1354 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1355 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1356 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1357
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1358 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1359}
1360
1361API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1362nc_server_tls_ch_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1363{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1364 int ret;
1365
1366 /* OPTS LOCK */
1367 pthread_mutex_lock(&tls_ch_opts_lock);
1368 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1369 /* OPTS UNLOCK */
1370 pthread_mutex_unlock(&tls_ch_opts_lock);
1371
1372 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1373}
1374
1375static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1376nc_server_tls_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1377{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1378 struct nc_ctn *ctn, *next, *prev;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1379 int ret = -1;
1380
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1381 if ((id < 0) && !fingerprint && !map_type && !name) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1382 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1383 while (ctn) {
1384 lydict_remove(server_opts.ctx, ctn->fingerprint);
1385 lydict_remove(server_opts.ctx, ctn->name);
1386
1387 next = ctn->next;
1388 free(ctn);
1389 ctn = next;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1390
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1391 ret = 0;
1392 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1393 opts->ctn = NULL;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1394 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1395 prev = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1396 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1397 while (ctn) {
1398 if (((id < 0) || (ctn->id == id))
1399 && (!fingerprint || !strcmp(ctn->fingerprint, fingerprint))
1400 && (!map_type || (ctn->map_type == map_type))
1401 && (!name || (ctn->name && !strcmp(ctn->name, name)))) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1402 lydict_remove(server_opts.ctx, ctn->fingerprint);
1403 lydict_remove(server_opts.ctx, ctn->name);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1404
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1405 if (prev) {
1406 prev->next = ctn->next;
1407 next = ctn->next;
1408 } else {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1409 opts->ctn = ctn->next;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1410 next = ctn->next;
1411 }
1412 free(ctn);
1413 ctn = next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1414
1415 ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1416 } else {
1417 prev = ctn;
1418 ctn = ctn->next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1419 }
1420 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1421 }
1422
1423 return ret;
1424}
1425
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1426API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1427nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1428{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1429 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1430 struct nc_endpt *endpt;
1431
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1432 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1433 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1434 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1435 return -1;
1436 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1437 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1438 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1439 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1440
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1441 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1442}
1443
1444API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1445nc_server_tls_ch_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1446{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1447 int ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1448
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1449 /* OPTS LOCK */
1450 pthread_mutex_lock(&tls_ch_opts_lock);
1451 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1452 /* OPTS UNLOCK */
1453 pthread_mutex_unlock(&tls_ch_opts_lock);
1454
1455 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1456}
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1457
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1458void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1459nc_server_tls_clear_opts(struct nc_server_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1460{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1461 nc_server_tls_clear_certs(opts);
1462 nc_server_tls_clear_crls(opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1463 nc_server_tls_del_ctn(-1, NULL, 0, NULL, opts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1464}
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1465
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1466API void
1467nc_server_tls_ch_clear_opts(void)
1468{
1469 /* OPTS LOCK */
1470 pthread_mutex_lock(&tls_ch_opts_lock);
1471 nc_server_tls_clear_opts(&tls_ch_opts);
1472 /* OPTS UNLOCK */
1473 pthread_mutex_unlock(&tls_ch_opts_lock);
1474}
1475
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1476static void
1477nc_tls_make_verify_key(void)
1478{
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1479 pthread_key_create(&verify_key, NULL);
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1480}
1481
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1482API int
Michal Vasko8f5270d2016-02-29 16:22:25 +0100[diff] [blame]1483nc_connect_callhome_tls(const char *host, uint16_t port, struct nc_session **session)
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1484{
Michal Vasko8f5270d2016-02-29 16:22:25 +0100[diff] [blame]1485 return nc_connect_callhome(host, port, NC_TI_OPENSSL, session);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1486}
1487
1488int
Michal Vasko8f5270d2016-02-29 16:22:25 +0100[diff] [blame]1489nc_accept_tls_session(struct nc_session *session, int sock)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1490{
1491 struct nc_server_tls_opts *opts;
Michal Vasko9b88a162016-02-26 15:49:51 +0100[diff] [blame]1492 int ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1493
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]1494 opts = session->data;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1495
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1496 session->ti_type = NC_TI_OPENSSL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1497 session->ti.tls = SSL_new(opts->tls_ctx);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1498
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1499 if (!session->ti.tls) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1500 ERR("Failed to create TLS structure from context.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1501 close(sock);
1502 return -1;
1503 }
1504
1505 SSL_set_fd(session->ti.tls, sock);
1506 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1507
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1508 /* store session on per-thread basis */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1509 pthread_once(&verify_once, nc_tls_make_verify_key);
1510 pthread_setspecific(verify_key, session);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1511
1512 ret = SSL_accept(session->ti.tls);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1513
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1514 if (ret != 1) {
1515 switch (SSL_get_error(session->ti.tls, ret)) {
1516 case SSL_ERROR_SYSCALL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1517 ERR("SSL_accept failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1518 break;
1519 case SSL_ERROR_SSL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1520 ERR("SSL_accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1521 break;
1522 default:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1523 ERR("SSL_accept failed.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1524 break;
1525 }
1526 return -1;
1527 }
1528
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1529 return 1;
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1530}