Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 709598ec8bea6a4aeadef9ce59492089fce78309 / . / src / session_server_tls.c
blob: 15f9ef63bdcb50e18bf44d08ef6cb8fa8af427e4 [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]2 * \file session_server_tls.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]8 * This source code is licensed under BSD 3-Clause License (the "License").
9 * You may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]11 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]12 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]13 */
14
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]15#define _GNU_SOURCE
16
17#include <string.h>
18#include <poll.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]19#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]20
21#include <openssl/ssl.h>
22#include <openssl/evp.h>
23#include <openssl/err.h>
24#include <openssl/x509v3.h>
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]25#include <openssl/x509.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]26
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]27#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]28#include "session_server_ch.h"
29#include "libnetconf.h"
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]30
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]31struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]32pthread_mutex_t tls_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]33extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]34
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]35static pthread_key_t verify_key;
36static pthread_once_t verify_once = PTHREAD_ONCE_INIT;
37
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]38static char *
39asn1time_to_str(ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]40{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]41 char *cp;
42 BIO *bio;
43 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]44
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]45 if (!t) {
46 return NULL;
47 }
48 bio = BIO_new(BIO_s_mem());
49 if (!bio) {
50 return NULL;
51 }
52 ASN1_TIME_print(bio, t);
53 n = BIO_pending(bio);
54 cp = malloc(n + 1);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]55 if (!cp) {
56 ERRMEM;
57 BIO_free(bio);
58 return NULL;
59 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]60 n = BIO_read(bio, cp, n);
61 if (n < 0) {
62 BIO_free(bio);
63 free(cp);
64 return NULL;
65 }
66 cp[n] = '\0';
67 BIO_free(bio);
68 return cp;
69}
70
71static void
72digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
73{
74 unsigned int i;
75
76 *str = malloc(dig_len * 3);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]77 if (!*str) {
78 ERRMEM;
79 return;
80 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]81 for (i = 0; i < dig_len - 1; ++i) {
82 sprintf((*str) + (i * 3), "%02x:", digest[i]);
83 }
84 sprintf((*str) + (i * 3), "%02x", digest[i]);
85}
86
87/* return NULL - SSL error can be retrieved */
88static X509 *
89base64der_to_cert(const char *in)
90{
91 X509 *out;
92 char *buf;
93 BIO *bio;
94
95 if (in == NULL) {
96 return NULL;
97 }
98
99 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
100 return NULL;
101 }
102 bio = BIO_new_mem_buf(buf, strlen(buf));
103 if (!bio) {
104 free(buf);
105 return NULL;
106 }
107
108 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
109 if (!out) {
110 free(buf);
111 BIO_free(bio);
112 return NULL;
113 }
114
115 free(buf);
116 BIO_free(bio);
117 return out;
118}
119
120/* return NULL - either errno or SSL error */
121static X509 *
122pem_to_cert(const char *path)
123{
124 FILE *fp;
125 X509 *out;
126
127 fp = fopen(path, "r");
128 if (!fp) {
129 return NULL;
130 }
131
132 out = PEM_read_X509(fp, NULL, NULL, NULL);
133 fclose(fp);
134 return out;
135}
136
137static EVP_PKEY *
138base64der_to_privatekey(const char *in, int rsa)
139{
140 EVP_PKEY *out;
141 char *buf;
142 BIO *bio;
143
144 if (in == NULL) {
145 return NULL;
146 }
147
148 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----\n", in, "\n-----END ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----") == -1) {
149 return NULL;
150 }
151 bio = BIO_new_mem_buf(buf, strlen(buf));
152 if (!bio) {
153 free(buf);
154 return NULL;
155 }
156
157 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
158 if (!out) {
159 free(buf);
160 BIO_free(bio);
161 return NULL;
162 }
163
164 free(buf);
165 BIO_free(bio);
166 return out;
167}
168
169static int
170cert_pubkey_match(X509 *cert1, X509 *cert2)
171{
172 ASN1_BIT_STRING *bitstr1, *bitstr2;
173
174 bitstr1 = X509_get0_pubkey_bitstr(cert1);
175 bitstr2 = X509_get0_pubkey_bitstr(cert2);
176
177 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
178 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
179 return 0;
180 }
181
182 return 1;
183}
184
185static int
186nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
187{
188 STACK_OF(GENERAL_NAME) *san_names;
189 GENERAL_NAME *san_name;
190 ASN1_OCTET_STRING *ip;
191 int i, san_count;
192 char *subject, *common_name;
193
194 if (map_type == NC_TLS_CTN_COMMON_NAME) {
195 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
196 common_name = strstr(subject, "CN=");
197 if (!common_name) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]198 WRN("Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]199 free(subject);
200 return 1;
201 }
202 common_name += 3;
203 if (strchr(common_name, '/')) {
204 *strchr(common_name, '/') = '\0';
205 }
206 *username = strdup(common_name);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]207 if (!*username) {
208 ERRMEM;
209 return 1;
210 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]211 free(subject);
212 } else {
213 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
214 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
215 if (!san_names) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]216 WRN("Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]217 return 1;
218 }
219
220 san_count = sk_GENERAL_NAME_num(san_names);
221 for (i = 0; i < san_count; ++i) {
222 san_name = sk_GENERAL_NAME_value(san_names, i);
223
224 /* rfc822Name (email) */
225 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_RFC822_NAME) &&
226 san_name->type == GEN_EMAIL) {
227 *username = strdup((char *)ASN1_STRING_data(san_name->d.rfc822Name));
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]228 if (!*username) {
229 ERRMEM;
230 return 1;
231 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]232 break;
233 }
234
235 /* dNSName */
236 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_DNS_NAME) &&
237 san_name->type == GEN_DNS) {
238 *username = strdup((char *)ASN1_STRING_data(san_name->d.dNSName));
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]239 if (!*username) {
240 ERRMEM;
241 return 1;
242 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]243 break;
244 }
245
246 /* iPAddress */
247 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_IP_ADDRESS) &&
248 san_name->type == GEN_IPADD) {
249 ip = san_name->d.iPAddress;
250 if (ip->length == 4) {
251 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]252 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]253 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
254 return -1;
255 }
256 break;
257 } else if (ip->length == 16) {
258 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
259 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
260 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
261 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]262 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]263 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
264 return -1;
265 }
266 break;
267 } else {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]268 WRN("SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]269 }
270 }
271 }
272 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
273
274 if (i < san_count) {
275 switch (map_type) {
276 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]277 WRN("Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]278 break;
279 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]280 WRN("Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]281 break;
282 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]283 WRN("Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]284 break;
285 case NC_TLS_CTN_SAN_ANY:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]286 WRN("Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]287 break;
288 default:
289 break;
290 }
291 return 1;
292 }
293 }
294
295 return 0;
296}
297
298/* return: 0 - OK, 1 - no match, -1 - error */
299static int
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]300nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]301{
302 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
303 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]304 unsigned char *buf = malloc(64);
305 unsigned int buf_len = 64;
306 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]307 struct nc_ctn *ctn;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]308
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]309 if (!buf) {
310 ERRMEM;
311 return -1;
312 }
313
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]314 if (!ctn_first || !cert || !map_type || !name) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]315 free(buf);
316 return -1;
317 }
318
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]319 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]320 /* MD5 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]321 if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]322 if (!digest_md5) {
323 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]324 ERR("Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]325 ret = -1;
326 goto cleanup;
327 }
328 digest_to_str(buf, buf_len, &digest_md5);
329 }
330
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]331 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]332 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]333 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]334 *map_type = ctn->map_type;
335 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
336 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]337 }
338 break;
339 }
340
341 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]342 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]343 if (!digest_sha1) {
344 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]345 ERR("Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]346 ret = -1;
347 goto cleanup;
348 }
349 digest_to_str(buf, buf_len, &digest_sha1);
350 }
351
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]352 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]353 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]354 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]355 *map_type = ctn->map_type;
356 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
357 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]358 }
359 break;
360 }
361
362 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]363 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]364 if (!digest_sha224) {
365 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]366 ERR("Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]367 ret = -1;
368 goto cleanup;
369 }
370 digest_to_str(buf, buf_len, &digest_sha224);
371 }
372
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]373 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]374 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]375 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]376 *map_type = ctn->map_type;
377 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
378 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]379 }
380 break;
381 }
382
383 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]384 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]385 if (!digest_sha256) {
386 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]387 ERR("Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]388 ret = -1;
389 goto cleanup;
390 }
391 digest_to_str(buf, buf_len, &digest_sha256);
392 }
393
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]394 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]395 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]396 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]397 *map_type = ctn->map_type;
398 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
399 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]400 }
401 break;
402 }
403
404 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]405 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]406 if (!digest_sha384) {
407 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]408 ERR("Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]409 ret = -1;
410 goto cleanup;
411 }
412 digest_to_str(buf, buf_len, &digest_sha384);
413 }
414
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]415 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]416 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]417 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]418 *map_type = ctn->map_type;
419 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
420 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]421 }
422 break;
423 }
424
425 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]426 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]427 if (!digest_sha512) {
428 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]429 ERR("Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]430 ret = -1;
431 goto cleanup;
432 }
433 digest_to_str(buf, buf_len, &digest_sha512);
434 }
435
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]436 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]437 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]438 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]439 *map_type = ctn->map_type;
440 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
441 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]442 }
443 break;
444 }
445
446 /* unknown */
447 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]448 WRN("Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]449 }
450 }
451
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]452 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]453 ret = 1;
454 }
455
456cleanup:
457 free(digest_md5);
458 free(digest_sha1);
459 free(digest_sha224);
460 free(digest_sha256);
461 free(digest_sha384);
462 free(digest_sha512);
463 free(buf);
464 return ret;
465}
466
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]467static int
468nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
469{
470 X509_STORE_CTX store_ctx;
471 X509_OBJECT obj;
472 X509_NAME *subject;
473 X509_NAME *issuer;
474 X509 *cert;
475 X509_CRL *crl;
476 X509_REVOKED *revoked;
477 STACK_OF(X509) *cert_stack;
478 EVP_PKEY *pubkey;
479 struct nc_session* session;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]480 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]481 long serial;
482 int i, n, rc, depth;
483 char *cp;
484 const char *username = NULL;
485 NC_TLS_CTN_MAPTYPE map_type = 0;
486 ASN1_TIME *last_update = NULL, *next_update = NULL;
487
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]488 /* get the thread session */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]489 session = pthread_getspecific(verify_key);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]490 if (!session) {
491 ERRINT;
492 return 0;
493 }
494
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]495 opts = session->data;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]496
497 /* get the last certificate, that is the peer (client) certificate */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]498 if (!session->opts.server.client_cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]499 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
500 /* TODO all that is needed, but function X509_up_ref not present in older OpenSSL versions
501 session->cert = sk_X509_value(cert_stack, sk_X509_num(cert_stack) - 1);
502 X509_up_ref(session->cert);
503 sk_X509_pop_free(cert_stack, X509_free); */
504 while ((cert = sk_X509_pop(cert_stack))) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]505 X509_free(session->opts.server.client_cert);
506 session->opts.server.client_cert = cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]507 }
508 sk_X509_pop_free(cert_stack, X509_free);
509 }
510
511 /* standard certificate verification failed, so a trusted client cert must match to continue */
512 if (!preverify_ok) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]513 subject = X509_get_subject_name(session->opts.server.client_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]514 cert_stack = X509_STORE_get1_certs(x509_ctx, subject);
515 if (cert_stack) {
516 for (i = 0; i < sk_X509_num(cert_stack); ++i) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]517 if (cert_pubkey_match(session->opts.server.client_cert, sk_X509_value(cert_stack, i))) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]518 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
519 * this callback will be called again with the same current certificate and preverify_ok == 1 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]520 VRB("Cert verify: fail (%s), but the client certificate is trusted, continuing.",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]521 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
522 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
523 sk_X509_pop_free(cert_stack, X509_free);
524 return 1;
525 }
526 }
527 sk_X509_pop_free(cert_stack, X509_free);
528 }
529
530 ERR("Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
531 return 0;
532 }
533
534 /* print cert verify info */
535 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]536 VRB("Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]537
538 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
539 subject = X509_get_subject_name(cert);
540 issuer = X509_get_issuer_name(cert);
541
542 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]543 VRB("Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]544 OPENSSL_free(cp);
545 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]546 VRB("Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]547 OPENSSL_free(cp);
548
549 /* check for revocation if set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]550 if (opts->crl_store) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]551 /* try to retrieve a CRL corresponding to the _subject_ of
552 * the current certificate in order to verify it's integrity */
553 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]554 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]555 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
556 X509_STORE_CTX_cleanup(&store_ctx);
557 crl = obj.data.crl;
558 if (rc > 0 && crl) {
559 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]560 VRB("Cert verify CRL: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]561 OPENSSL_free(cp);
562
563 last_update = X509_CRL_get_lastUpdate(crl);
564 next_update = X509_CRL_get_nextUpdate(crl);
565 cp = asn1time_to_str(last_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]566 VRB("Cert verify CRL: last update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]567 free(cp);
568 cp = asn1time_to_str(next_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]569 VRB("Cert verify CRL: next update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]570 free(cp);
571
572 /* verify the signature on this CRL */
573 pubkey = X509_get_pubkey(cert);
574 if (X509_CRL_verify(crl, pubkey) <= 0) {
575 ERR("Cert verify CRL: invalid signature.");
576 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
577 X509_OBJECT_free_contents(&obj);
578 if (pubkey) {
579 EVP_PKEY_free(pubkey);
580 }
581 return 0;
582 }
583 if (pubkey) {
584 EVP_PKEY_free(pubkey);
585 }
586
587 /* check date of CRL to make sure it's not expired */
588 if (!next_update) {
589 ERR("Cert verify CRL: invalid nextUpdate field.");
590 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
591 X509_OBJECT_free_contents(&obj);
592 return 0;
593 }
594 if (X509_cmp_current_time(next_update) < 0) {
595 ERR("Cert verify CRL: expired - revoking all certificates.");
596 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
597 X509_OBJECT_free_contents(&obj);
598 return 0;
599 }
600 X509_OBJECT_free_contents(&obj);
601 }
602
603 /* try to retrieve a CRL corresponding to the _issuer_ of
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]604 * the current certificate in order to check for revocation */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]605 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]606 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]607 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
608 X509_STORE_CTX_cleanup(&store_ctx);
609 crl = obj.data.crl;
610 if (rc > 0 && crl) {
611 /* check if the current certificate is revoked by this CRL */
612 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
613 for (i = 0; i < n; i++) {
614 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
615 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
616 serial = ASN1_INTEGER_get(revoked->serialNumber);
617 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]618 ERR("Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.", serial, serial, cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]619 OPENSSL_free(cp);
620 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
621 X509_OBJECT_free_contents(&obj);
622 return 0;
623 }
624 }
625 X509_OBJECT_free_contents(&obj);
626 }
627 }
628
629 /* cert-to-name already successful */
630 if (session->username) {
631 return 1;
632 }
633
634 /* cert-to-name */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]635 rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]636
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]637 if (rc) {
638 if (rc == -1) {
639 /* fatal error */
640 depth = 0;
641 }
642 /* rc == 1 is a normal CTN fail (no match found) */
643 goto fail;
644 }
645
646 /* cert-to-name match, now to extract the specific field from the peer cert */
647 if (map_type == NC_TLS_CTN_SPECIFIED) {
648 session->username = lydict_insert(server_opts.ctx, username, 0);
649 } else {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]650 rc = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]651 if (rc) {
652 if (rc == -1) {
653 depth = 0;
654 }
655 goto fail;
656 }
657 session->username = lydict_insert_zc(server_opts.ctx, cp);
658 }
659
660 VRB("Cert verify CTN: new client username recognized as \"%s\".", session->username);
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]661
662 if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
663 VRB("Cert verify: user verify callback revoked authorization.");
664 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
665 return 0;
666 }
667
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]668 return 1;
669
670fail:
671 if (depth > 0) {
672 VRB("Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
673 return 1;
674 }
675
676 VRB("Cert-to-name unsuccessful, dropping the new client.");
677 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
678 return 0;
679}
680
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]681static int
682nc_server_tls_set_cert(const char *cert, struct nc_server_tls_opts *opts)
683{
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]684 X509 *crt;
685
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]686 if (!cert) {
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]687 if (opts->server_cert) {
688 X509_free(opts->server_cert);
689 }
690 opts->server_cert = NULL;
691 return 0;
692 }
693
694 crt = base64der_to_cert(cert);
695 if (!crt) {
696 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]697 return -1;
698 }
699
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]700 if (opts->server_cert) {
701 X509_free(opts->server_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]702 }
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]703 opts->server_cert = crt;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]704
705 return 0;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]706}
707
708API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]709nc_server_tls_endpt_set_cert(const char *endpt_name, const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]710{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]711 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]712 struct nc_endpt *endpt;
713
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]714 if (!endpt_name) {
715 ERRARG("endpt_name");
716 return -1;
717 }
718
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]719 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]720 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]721 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]722 return -1;
723 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]724 ret = nc_server_tls_set_cert(cert, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]725 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]726 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]727
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]728 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]729}
730
731API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]732nc_server_tls_ch_client_set_cert(const char *client_name, const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]733{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]734 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]735 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]736
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]737 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]738 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]739 return -1;
740 }
741
742 /* LOCK */
743 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
744 if (!client) {
745 return -1;
746 }
747
748 ret = nc_server_tls_set_cert(cert, client->opts.tls);
749
750 /* UNLOCK */
751 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]752
753 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]754}
755
756static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]757nc_server_tls_set_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]758{
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]759 X509 *crt;
760
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]761 if (!cert_path) {
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]762 if (opts->server_cert) {
763 X509_free(opts->server_cert);
764 }
765 opts->server_cert = NULL;
766 return 0;
767 }
768
769 errno = 0;
770 crt = pem_to_cert(cert_path);
771 if (!crt) {
772 ERR("Loading the server certificate failed (%s).", (errno ? strerror(errno) : ERR_reason_error_string(ERR_get_error())));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]773 return -1;
774 }
775
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]776 if (opts->server_cert) {
777 X509_free(opts->server_cert);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]778 }
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]779 opts->server_cert = crt;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]780
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]781 return 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]782}
783
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]784API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]785nc_server_tls_endpt_set_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]786{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]787 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]788 struct nc_endpt *endpt;
789
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]790 if (!endpt_name) {
791 ERRARG("endpt_name");
792 return -1;
793 }
794
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]795 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]796 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]797 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]798 return -1;
799 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]800 ret = nc_server_tls_set_cert_path(cert_path, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]801 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]802 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]803
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]804 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]805}
806
807API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]808nc_server_tls_ch_client_set_cert_path(const char *client_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]809{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]810 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]811 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]812
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]813 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]814 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]815 return -1;
816 }
817
818 /* LOCK */
819 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
820 if (!client) {
821 return -1;
822 }
823
824 ret = nc_server_tls_set_cert_path(cert_path, client->opts.tls);
825
826 /* UNLOCK */
827 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]828
829 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]830}
831
832static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]833nc_server_tls_set_key(const char *privkey, int is_rsa, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]834{
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]835 EVP_PKEY *pkey;
836
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]837 if (!privkey) {
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]838 if (opts->server_key) {
839 EVP_PKEY_free(opts->server_key);
840 }
841 opts->server_key = NULL;
842 return 0;
843 }
844
845 pkey = base64der_to_privatekey(privkey, is_rsa);
846 if (!pkey) {
847 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]848 return -1;
849 }
850
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]851 if (opts->server_key) {
852 EVP_PKEY_free(opts->server_key);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]853 }
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]854 opts->server_key = pkey;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]855
856 return 0;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]857}
858
859API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]860nc_server_tls_endpt_set_key(const char *endpt_name, const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]861{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]862 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]863 struct nc_endpt *endpt;
864
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]865 if (!endpt_name) {
866 ERRARG("endpt_name");
867 return -1;
868 }
869
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]870 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]871 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]872 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]873 return -1;
874 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]875 ret = nc_server_tls_set_key(privkey, is_rsa, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]876 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]877 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]878
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]879 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]880}
881
882API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]883nc_server_tls_ch_client_set_key(const char *client_name, const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]884{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]885 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]886 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]887
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]888 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]889 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]890 return -1;
891 }
892
893 /* LOCK */
894 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
895 if (!client) {
896 return -1;
897 }
898
899 ret = nc_server_tls_set_key(privkey, is_rsa, client->opts.tls);
900
901 /* UNLOCK */
902 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]903
904 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]905}
906
907static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]908nc_server_tls_set_key_path(const char *privkey_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]909{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]910 FILE *file;
911
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]912 if (!privkey_path) {
Michal Vaskoa8748792016-11-22 14:34:26 +0100[diff] [blame]913 if (opts->server_key) {
914 EVP_PKEY_free(opts->server_key);
915 }
916 opts->server_key = NULL;
917 return 0;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]918 }
919
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]920 file = fopen(privkey_path, "r");
921 if (!file) {
922 ERR("Cannot open the file \"%s\" for reading (%s).", privkey_path, strerror(errno));
923 return -1;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]924 }
925
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]926 if (opts->server_key) {
927 EVP_PKEY_free(opts->server_key);
928 }
929 opts->server_key = PEM_read_PrivateKey(file, NULL, NULL, NULL);
930 fclose(file);
931
932 if (!opts->server_key) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]933 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]934 return -1;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]935 }
936
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]937 return 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]938}
939
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]940API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]941nc_server_tls_endpt_set_key_path(const char *endpt_name, const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]942{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]943 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]944 struct nc_endpt *endpt;
945
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]946 if (!endpt_name) {
947 ERRARG("endpt_name");
948 return -1;
949 }
950
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]951 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]952 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]953 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]954 return -1;
955 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]956 ret = nc_server_tls_set_key_path(privkey_path, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]957 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]958 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]959
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]960 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]961}
962
963API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]964nc_server_tls_ch_client_set_key_path(const char *client_name, const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]965{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]966 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]967 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]968
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]969 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]970 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]971 return -1;
972 }
973
974 /* LOCK */
975 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
976 if (!client) {
977 return -1;
978 }
979
980 ret = nc_server_tls_set_key_path(privkey_path, client->opts.tls);
981
982 /* UNLOCK */
983 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]984
985 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]986}
987
988static int
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]989nc_server_tls_add_trusted_cert(const char *name, const char *cert, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]990{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]991 X509 *crt;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]992
993 if (!cert) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]994 ERRARG("cert");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]995 return -1;
996 }
997
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]998 crt = base64der_to_cert(cert);
999 if (!crt) {
1000 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
1001 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1002 }
1003
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1004 ++opts->trusted_cert_count;
1005 opts->trusted_certs = nc_realloc(opts->trusted_certs, opts->trusted_cert_count * sizeof *opts->trusted_certs);
1006 if (!opts->trusted_certs) {
1007 ERRMEM;
1008 X509_free(crt);
1009 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1010 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1011 opts->trusted_certs[opts->trusted_cert_count - 1].name = lydict_insert(server_opts.ctx, name, 0);
1012 opts->trusted_certs[opts->trusted_cert_count - 1].cert = crt;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1013
1014 return 0;
1015}
1016
1017API int
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1018nc_server_tls_endpt_add_trusted_cert(const char *endpt_name, const char *cert_name, const char *cert)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1019{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1020 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1021 struct nc_endpt *endpt;
1022
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1023 if (!endpt_name) {
1024 ERRARG("endpt_name");
1025 return -1;
1026 }
1027
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1028 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1029 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1030 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1031 return -1;
1032 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1033 ret = nc_server_tls_add_trusted_cert(cert_name, cert, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1034 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1035 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1036
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1037 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1038}
1039
1040API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1041nc_server_tls_ch_client_add_trusted_cert(const char *client_name, const char *cert_name, const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1042{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1043 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1044 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1045
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1046 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1047 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1048 return -1;
1049 }
1050
1051 /* LOCK */
1052 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1053 if (!client) {
1054 return -1;
1055 }
1056
1057 ret = nc_server_tls_add_trusted_cert(cert_name, cert, client->opts.tls);
1058
1059 /* UNLOCK */
1060 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1061
1062 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1063}
1064
1065static int
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1066nc_server_tls_add_trusted_cert_path(const char *name, const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1067{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1068 X509 *cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1069
1070 if (!cert_path) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1071 ERRARG("cert");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1072 return -1;
1073 }
1074
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1075 errno = 0;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1076 cert = pem_to_cert(cert_path);
1077 if (!cert) {
1078 ERR("Loading the server certificate failed (%s).", (errno ? strerror(errno) : ERR_reason_error_string(ERR_get_error())));
1079 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1080 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1081
1082 ++opts->trusted_cert_count;
1083 opts->trusted_certs = nc_realloc(opts->trusted_certs, opts->trusted_cert_count * sizeof *opts->trusted_certs);
1084 if (!opts->trusted_certs) {
1085 ERRMEM;
1086 X509_free(cert);
1087 return -1;
1088 }
1089 opts->trusted_certs[opts->trusted_cert_count - 1].name = lydict_insert(server_opts.ctx, name, 0);
1090 opts->trusted_certs[opts->trusted_cert_count - 1].cert = cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1091
1092 return 0;
1093}
1094
1095API int
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1096nc_server_tls_endpt_add_trusted_cert_path(const char *endpt_name, const char *cert_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1097{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1098 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1099 struct nc_endpt *endpt;
1100
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1101 if (!endpt_name) {
1102 ERRARG("endpt_name");
1103 return -1;
1104 }
1105
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1106 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1107 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1108 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1109 return -1;
1110 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1111 ret = nc_server_tls_add_trusted_cert_path(cert_name, cert_path, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1112 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1113 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1114
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1115 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1116}
1117
1118API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1119nc_server_tls_ch_client_add_trusted_cert_path(const char *client_name, const char *cert_name, const char *cert_path)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1120{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1121 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1122 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1123
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1124 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1125 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1126 return -1;
1127 }
1128
1129 /* LOCK */
1130 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1131 if (!client) {
1132 return -1;
1133 }
1134
1135 ret = nc_server_tls_add_trusted_cert_path(cert_name, cert_path, client->opts.tls);
1136
1137 /* UNLOCK */
1138 nc_server_ch_client_unlock(client);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1139
1140 return ret;
1141}
1142
1143static int
1144nc_server_tls_del_trusted_cert(const char *name, struct nc_server_tls_opts *opts)
1145{
1146 uint16_t i;
1147
1148 if (!name) {
1149 for (i = 0; i < opts->trusted_cert_count; ++i) {
1150 lydict_remove(server_opts.ctx, opts->trusted_certs[i].name);
1151 X509_free(opts->trusted_certs[i].cert);
1152 }
1153 free(opts->trusted_certs);
1154 opts->trusted_certs = NULL;
1155 opts->trusted_cert_count = 0;
1156 return 0;
1157 } else {
1158 for (i = 0; i < opts->trusted_cert_count; ++i) {
1159 if (!strcmp(opts->trusted_certs[i].name, name)) {
1160 lydict_remove(server_opts.ctx, opts->trusted_certs[i].name);
1161 X509_free(opts->trusted_certs[i].cert);
1162
1163 --opts->trusted_cert_count;
1164 if (i < opts->trusted_cert_count - 1) {
1165 memmove(opts->trusted_certs + i, opts->trusted_certs + i + 1,
1166 (opts->trusted_cert_count - i) * sizeof *opts->trusted_certs);
1167 }
1168 return 0;
1169 }
1170 }
1171 }
1172
1173 ERR("Certificate \"%s\" not found.", name);
1174 return -1;
1175}
1176
1177API int
1178nc_server_tls_endpt_del_trusted_cert(const char *endpt_name, const char *cert_name)
1179{
1180 int ret;
1181 struct nc_endpt *endpt;
1182
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1183 if (!endpt_name) {
1184 ERRARG("endpt_name");
1185 return -1;
1186 }
1187
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1188 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1189 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1190 if (!endpt) {
1191 return -1;
1192 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1193 ret = nc_server_tls_del_trusted_cert(cert_name, endpt->opts.tls);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1194 /* UNLOCK */
1195 nc_server_endpt_unlock(endpt);
1196
1197 return ret;
1198}
1199
1200API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1201nc_server_tls_ch_client_del_trusted_cert(const char *client_name, const char *cert_name)
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1202{
1203 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1204 struct nc_ch_client *client;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1205
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1206 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1207 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1208 return -1;
1209 }
1210
1211 /* LOCK */
1212 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1213 if (!client) {
1214 return -1;
1215 }
1216
1217 ret = nc_server_tls_del_trusted_cert(cert_name, client->opts.tls);
1218
1219 /* UNLOCK */
1220 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1221
1222 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1223}
1224
1225static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1226nc_server_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1227{
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1228 if (!ca_file && !ca_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]1229 ERRARG("ca_file and ca_dir");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1230 return -1;
1231 }
1232
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1233 if (ca_file) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1234 if (opts->trusted_ca_file) {
1235 lydict_remove(server_opts.ctx, opts->trusted_ca_file);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1236 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1237 opts->trusted_ca_file = lydict_insert(server_opts.ctx, ca_file, 0);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1238 }
1239
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1240 if (ca_dir) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1241 if (opts->trusted_ca_dir) {
1242 lydict_remove(server_opts.ctx, opts->trusted_ca_dir);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1243 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1244 opts->trusted_ca_dir = lydict_insert(server_opts.ctx, ca_dir, 0);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1245 }
1246
1247 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1248}
1249
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1250API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1251nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1252{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1253 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1254 struct nc_endpt *endpt;
1255
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1256 if (!endpt_name) {
1257 ERRARG("endpt_name");
1258 return -1;
1259 }
1260
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1261 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1262 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1263 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1264 return -1;
1265 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1266 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1267 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1268 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1269
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1270 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1271}
1272
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1273API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1274nc_server_tls_ch_client_set_trusted_ca_paths(const char *client_name, const char *ca_file, const char *ca_dir)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1275{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1276 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1277 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1278
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1279 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1280 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1281 return -1;
1282 }
1283
1284 /* LOCK */
1285 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1286 if (!client) {
1287 return -1;
1288 }
1289
1290 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, client->opts.tls);
1291
1292 /* UNLOCK */
1293 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1294
1295 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1296}
1297
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1298static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1299nc_server_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1300{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1301 X509_LOOKUP *lookup;
1302
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1303 if (!crl_file && !crl_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]1304 ERRARG("crl_file and crl_dir");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1305 return -1;
1306 }
1307
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1308 if (!opts->crl_store) {
1309 opts->crl_store = X509_STORE_new();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1310 }
1311
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1312 if (crl_file) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1313 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1314 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1315 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1316 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1317 }
1318
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1319 if (X509_LOOKUP_load_file(lookup, crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1320 ERR("Failed to add a revocation lookup file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1321 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1322 }
1323 }
1324
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1325 if (crl_dir) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1326 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1327 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1328 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1329 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1330 }
1331
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1332 if (X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1333 ERR("Failed to add a revocation lookup directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1334 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1335 }
1336 }
1337
1338 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1339
1340fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1341 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1342}
1343
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1344API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1345nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1346{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1347 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1348 struct nc_endpt *endpt;
1349
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1350 if (!endpt_name) {
1351 ERRARG("endpt_name");
1352 return -1;
1353 }
1354
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1355 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1356 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1357 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1358 return -1;
1359 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1360 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1361 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1362 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1363
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1364 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1365}
1366
1367API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1368nc_server_tls_ch_client_set_crl_paths(const char *client_name, const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1369{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1370 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1371 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1372
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1373 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1374 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1375 return -1;
1376 }
1377
1378 /* LOCK */
1379 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1380 if (!client) {
1381 return -1;
1382 }
1383
1384 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, client->opts.tls);
1385
1386 /* UNLOCK */
1387 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1388
1389 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1390}
1391
1392static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1393nc_server_tls_clear_crls(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1394{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1395 if (!opts->crl_store) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1396 return;
1397 }
1398
1399 X509_STORE_free(opts->crl_store);
1400 opts->crl_store = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1401}
1402
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1403API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1404nc_server_tls_endpt_clear_crls(const char *endpt_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1405{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1406 struct nc_endpt *endpt;
1407
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1408 if (!endpt_name) {
1409 ERRARG("endpt_name");
1410 return;
1411 }
1412
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1413 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1414 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1415 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1416 return;
1417 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1418 nc_server_tls_clear_crls(endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1419 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1420 nc_server_endpt_unlock(endpt);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1421}
1422
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1423API void
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1424nc_server_tls_ch_client_clear_crls(const char *client_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1425{
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1426 struct nc_ch_client *client;
1427
1428 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1429 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1430 return;
1431 }
1432
1433 /* LOCK */
1434 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1435 if (!client) {
1436 return;
1437 }
1438
1439 nc_server_tls_clear_crls(client->opts.tls);
1440
1441 /* UNLOCK */
1442 nc_server_ch_client_unlock(client);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1443}
1444
1445static int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1446nc_server_tls_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name,
1447 struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1448{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1449 struct nc_ctn *ctn, *new;
1450
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]1451 if (!fingerprint) {
1452 ERRARG("fingerprint");
1453 return -1;
1454 } else if (!map_type) {
1455 ERRARG("map_type");
1456 return -1;
1457 } else if (((map_type == NC_TLS_CTN_SPECIFIED) && !name)
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1458 || ((map_type != NC_TLS_CTN_SPECIFIED) && name)) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]1459 ERRARG("map_type and name");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1460 return -1;
1461 }
1462
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1463 new = malloc(sizeof *new);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]1464 if (!new) {
1465 ERRMEM;
1466 return -1;
1467 }
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1468
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1469 new->fingerprint = lydict_insert(server_opts.ctx, fingerprint, 0);
1470 new->name = lydict_insert(server_opts.ctx, name, 0);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1471 new->id = id;
1472 new->map_type = map_type;
1473 new->next = NULL;
1474
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1475 if (!opts->ctn) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1476 /* the first item */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1477 opts->ctn = new;
1478 } else if (opts->ctn->id > id) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1479 /* insert at the beginning */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1480 new->next = opts->ctn;
1481 opts->ctn = new;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1482 } else {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1483 for (ctn = opts->ctn; ctn->next && ctn->next->id <= id; ctn = ctn->next);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1484 /* insert after ctn */
1485 new->next = ctn->next;
1486 ctn->next = new;
1487 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1488
1489 return 0;
1490}
1491
1492API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1493nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type,
1494 const char *name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1495{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1496 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1497 struct nc_endpt *endpt;
1498
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1499 if (!endpt_name) {
1500 ERRARG("endpt_name");
1501 return -1;
1502 }
1503
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1504 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1505 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1506 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1507 return -1;
1508 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1509 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1510 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1511 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1512
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1513 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1514}
1515
1516API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1517nc_server_tls_ch_client_add_ctn(const char *client_name, uint32_t id, const char *fingerprint,
1518 NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1519{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1520 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1521 struct nc_ch_client *client;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1522
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1523 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1524 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1525 return -1;
1526 }
1527
1528 /* LOCK */
1529 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1530 if (!client) {
1531 return -1;
1532 }
1533
1534 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, client->opts.tls);
1535
1536 /* UNLOCK */
1537 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1538
1539 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1540}
1541
1542static int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1543nc_server_tls_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name,
1544 struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1545{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1546 struct nc_ctn *ctn, *next, *prev;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1547 int ret = -1;
1548
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1549 if ((id < 0) && !fingerprint && !map_type && !name) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1550 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1551 while (ctn) {
1552 lydict_remove(server_opts.ctx, ctn->fingerprint);
1553 lydict_remove(server_opts.ctx, ctn->name);
1554
1555 next = ctn->next;
1556 free(ctn);
1557 ctn = next;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1558
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1559 ret = 0;
1560 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1561 opts->ctn = NULL;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1562 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1563 prev = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1564 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1565 while (ctn) {
1566 if (((id < 0) || (ctn->id == id))
1567 && (!fingerprint || !strcmp(ctn->fingerprint, fingerprint))
1568 && (!map_type || (ctn->map_type == map_type))
1569 && (!name || (ctn->name && !strcmp(ctn->name, name)))) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1570 lydict_remove(server_opts.ctx, ctn->fingerprint);
1571 lydict_remove(server_opts.ctx, ctn->name);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1572
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1573 if (prev) {
1574 prev->next = ctn->next;
1575 next = ctn->next;
1576 } else {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1577 opts->ctn = ctn->next;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1578 next = ctn->next;
1579 }
1580 free(ctn);
1581 ctn = next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1582
1583 ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1584 } else {
1585 prev = ctn;
1586 ctn = ctn->next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1587 }
1588 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1589 }
1590
1591 return ret;
1592}
1593
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1594API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1595nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type,
1596 const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1597{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1598 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1599 struct nc_endpt *endpt;
1600
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1601 if (!endpt_name) {
1602 ERRARG("endpt_name");
1603 return -1;
1604 }
1605
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1606 /* LOCK */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1607 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1608 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1609 return -1;
1610 }
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1611 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1612 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1613 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1614
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1615 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1616}
1617
1618API int
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1619nc_server_tls_ch_client_del_ctn(const char *client_name, int64_t id, const char *fingerprint,
1620 NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1621{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1622 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1623 struct nc_ch_client *client;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1624
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1625 if (!client_name) {
Michal Vasko9bf49542016-11-23 13:50:15 +0100[diff] [blame]1626 ERRARG("client_name");
Michal Vasko2e6defd2016-10-07 15:48:15 +0200[diff] [blame]1627 return -1;
1628 }
1629
1630 /* LOCK */
1631 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1632 if (!client) {
1633 return -1;
1634 }
1635
1636 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, client->opts.tls);
1637
1638 /* UNLOCK */
1639 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1640
1641 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1642}
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1643
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100[diff] [blame]1644static int
Michal Vaskof585ac72016-11-25 15:16:38 +0100[diff] [blame]1645nc_server_tls_get_ctn(uint32_t *id, char **fingerprint, NC_TLS_CTN_MAPTYPE *map_type, char **name,
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100[diff] [blame]1646 struct nc_server_tls_opts *opts)
1647{
1648 struct nc_ctn *ctn;
1649 int ret = -1;
1650
1651 for (ctn = opts->ctn; ctn; ctn = ctn->next) {
1652 if (id && *id && (*id != ctn->id)) {
1653 continue;
1654 }
1655 if (fingerprint && *fingerprint && strcmp(*fingerprint, ctn->fingerprint)) {
1656 continue;
1657 }
1658 if (map_type && *map_type && (*map_type != ctn->map_type)) {
1659 continue;
1660 }
1661 if (name && *name && strcmp(*name, ctn->name)) {
1662 continue;
1663 }
1664
1665 /* first match, good enough */
1666 if (id && !(*id)) {
1667 *id = ctn->id;
1668 }
1669 if (fingerprint && !(*fingerprint)) {
1670 *fingerprint = strdup(ctn->fingerprint);
1671 }
1672 if (map_type && !(*map_type)) {
1673 *map_type = ctn->map_type;
1674 }
1675 if (name && !(*name) && ctn->name) {
1676 *name = strdup(ctn->name);
1677 }
1678
1679 ret = 0;
1680 break;
1681 }
1682
1683 return ret;
1684}
1685
1686API int
Michal Vaskof585ac72016-11-25 15:16:38 +0100[diff] [blame]1687nc_server_tls_endpt_get_ctn(const char *endpt_name, uint32_t *id, char **fingerprint, NC_TLS_CTN_MAPTYPE *map_type,
1688 char **name)
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100[diff] [blame]1689{
1690 int ret;
1691 struct nc_endpt *endpt;
1692
1693 if (!endpt_name) {
1694 ERRARG("endpt_name");
1695 return -1;
1696 }
1697
1698 /* LOCK */
1699 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL, NULL);
1700 if (!endpt) {
1701 return -1;
1702 }
1703 ret = nc_server_tls_get_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
1704 /* UNLOCK */
1705 nc_server_endpt_unlock(endpt);
1706
1707 return ret;
1708}
1709
1710API int
Michal Vaskof585ac72016-11-25 15:16:38 +0100[diff] [blame]1711nc_server_tls_ch_client_get_ctn(const char *client_name, uint32_t *id, char **fingerprint, NC_TLS_CTN_MAPTYPE *map_type,
1712 char **name)
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100[diff] [blame]1713{
1714 int ret;
1715 struct nc_ch_client *client;
1716
1717 if (!client_name) {
1718 ERRARG("client_name");
1719 return -1;
1720 }
1721
1722 /* LOCK */
1723 client = nc_server_ch_client_lock(client_name, NC_TI_OPENSSL, NULL);
1724 if (!client) {
1725 return -1;
1726 }
1727
1728 ret = nc_server_tls_get_ctn(id, fingerprint, map_type, name, client->opts.tls);
1729
1730 /* UNLOCK */
1731 nc_server_ch_client_unlock(client);
1732
1733 return ret;
1734}
1735
Michal Vasko709598e2016-11-28 14:48:32 +0100[diff] [blame^]1736API const X509 *
1737nc_session_get_client_cert(const struct nc_session *session)
1738{
1739 if (!session || (session->side != NC_SERVER)) {
1740 ERRARG("session");
1741 return NULL;
1742 }
1743
1744 return session->opts.server.client_cert;
1745}
1746
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]1747API void
1748nc_server_tls_set_verify_clb(int (*verify_clb)(const struct nc_session *session))
1749{
1750 server_opts.user_verify_clb = verify_clb;
1751}
1752
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1753void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1754nc_server_tls_clear_opts(struct nc_server_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1755{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1756 EVP_PKEY_free(opts->server_key);
1757 X509_free(opts->server_cert);
1758 nc_server_tls_del_trusted_cert(NULL, opts);
1759 lydict_remove(server_opts.ctx, opts->trusted_ca_file);
1760 lydict_remove(server_opts.ctx, opts->trusted_ca_dir);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1761 nc_server_tls_clear_crls(opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1762 nc_server_tls_del_ctn(-1, NULL, 0, NULL, opts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1763}
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1764
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1765static void
1766nc_tls_make_verify_key(void)
1767{
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1768 pthread_key_create(&verify_key, NULL);
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1769}
1770
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1771int
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1772nc_accept_tls_session(struct nc_session *session, int sock, int timeout)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1773{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1774 X509_STORE *cert_store;
1775 SSL_CTX *tls_ctx;
1776 X509_LOOKUP *lookup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1777 struct nc_server_tls_opts *opts;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1778 int ret, elapsed_usec = 0;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1779 uint16_t i;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1780
Michal Vasko2cc4c682016-03-01 09:16:48 +0100[diff] [blame]1781 opts = session->data;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1782
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1783 /* SSL_CTX */
1784 tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1785 if (!tls_ctx) {
1786 ERR("Failed to create TLS context.");
1787 goto error;
1788 }
1789 SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
1790 if (SSL_CTX_use_PrivateKey(tls_ctx, opts->server_key) != 1) {
1791 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
1792 goto error;
1793 }
1794 if (SSL_CTX_use_certificate(tls_ctx, opts->server_cert) != 1) {
1795 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
1796 goto error;
1797 }
1798
1799 /* X509_STORE, managed (freed) with the context */
1800 cert_store = X509_STORE_new();
1801 SSL_CTX_set_cert_store(tls_ctx, cert_store);
1802
1803 for (i = 0; i < opts->trusted_cert_count; ++i) {
1804 if (X509_STORE_add_cert(cert_store, opts->trusted_certs[i].cert) != 1) {
1805 ERR("Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
1806 goto error;
1807 }
1808 }
1809
1810 if (opts->trusted_ca_file) {
1811 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file());
1812 if (!lookup) {
1813 ERR("Failed to add a lookup method.");
1814 goto error;
1815 }
1816
1817 if (X509_LOOKUP_load_file(lookup, opts->trusted_ca_file, X509_FILETYPE_PEM) != 1) {
1818 ERR("Failed to add a trusted cert file (%s).", ERR_reason_error_string(ERR_get_error()));
1819 goto error;
1820 }
1821 }
1822
1823 if (opts->trusted_ca_dir) {
1824 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
1825 if (!lookup) {
1826 ERR("Failed to add a lookup method.");
1827 goto error;
1828 }
1829
1830 if (X509_LOOKUP_add_dir(lookup, opts->trusted_ca_dir, X509_FILETYPE_PEM) != 1) {
1831 ERR("Failed to add a trusted cert directory (%s).", ERR_reason_error_string(ERR_get_error()));
1832 goto error;
1833 }
1834 }
1835
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1836 session->ti_type = NC_TI_OPENSSL;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1837 session->ti.tls = SSL_new(tls_ctx);
1838
1839 /* context can be freed already */
1840 SSL_CTX_free(tls_ctx);
1841 tls_ctx = NULL;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1842
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1843 if (!session->ti.tls) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1844 ERR("Failed to create TLS structure from context.");
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1845 goto error;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1846 }
1847
1848 SSL_set_fd(session->ti.tls, sock);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1849 sock = -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1850 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1851
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1852 /* store session on per-thread basis */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1853 pthread_once(&verify_once, nc_tls_make_verify_key);
1854 pthread_setspecific(verify_key, session);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1855
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1856 while (((ret = SSL_accept(session->ti.tls)) == -1) && (SSL_get_error(session->ti.tls, ret) == SSL_ERROR_WANT_READ)) {
1857 usleep(NC_TIMEOUT_STEP);
1858 elapsed_usec += NC_TIMEOUT_STEP;
1859 if ((timeout > -1) && (elapsed_usec / 1000 >= timeout)) {
1860 ERR("SSL_accept timeout.");
1861 return 0;
1862 }
1863 }
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1864
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1865 if (ret != 1) {
1866 switch (SSL_get_error(session->ti.tls, ret)) {
1867 case SSL_ERROR_SYSCALL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1868 ERR("SSL_accept failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1869 break;
1870 case SSL_ERROR_SSL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1871 ERR("SSL_accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1872 break;
1873 default:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1874 ERR("SSL_accept failed.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1875 break;
1876 }
1877 return -1;
1878 }
1879
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1880 return 1;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1881
1882error:
1883 if (sock > -1) {
1884 close(sock);
1885 }
1886 SSL_CTX_free(tls_ctx);
1887 return -1;
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1888}