Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 83289290f76bdd2b8a4ad072a098d28054b1874f / . / src / session_server_tls.c
blob: 2b562b1b28311c13fe0bbbbdab727483e808db78 [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]2 * @file session_server_tls.c
3 * @author Michal Vasko <mvasko@cesnet.cz>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]4 * @author Roman Janota <janota@cesnet.cz>
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]5 * @brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]6 *
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]7 * @copyright
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]8 * Copyright (c) 2015 - 2023 CESNET, z.s.p.o.
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]9 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]10 * This source code is licensed under BSD 3-Clause License (the "License").
11 * You may not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]13 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]14 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]15 */
16
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]17#define _GNU_SOURCE
18
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]19#include <poll.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]20#include <stdint.h>
21#include <stdio.h>
22#include <stdlib.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]23#include <string.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]24#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]25
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]26#include <curl/curl.h>
27#include <openssl/bio.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]28#include <openssl/err.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]29#include <openssl/evp.h>
30#include <openssl/ssl.h>
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]31#include <openssl/x509.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]32#include <openssl/x509v3.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]33
Michal Vasko316c9632020-04-15 11:06:57 +0200[diff] [blame]34#include "compat.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]35#include "config.h"
36#include "log_p.h"
37#include "session.h"
38#include "session_p.h"
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]39
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]40struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]41extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]42
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]43static char *
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]44asn1time_to_str(const ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]45{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]46 char *cp;
47 BIO *bio;
48 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]49
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]50 if (!t) {
51 return NULL;
52 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]53
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]54 bio = BIO_new(BIO_s_mem());
55 if (!bio) {
56 return NULL;
57 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]58
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]59 ASN1_TIME_print(bio, t);
60 n = BIO_pending(bio);
61 cp = malloc(n + 1);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]62 if (!cp) {
63 ERRMEM;
64 BIO_free(bio);
65 return NULL;
66 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]67
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]68 n = BIO_read(bio, cp, n);
69 if (n < 0) {
70 BIO_free(bio);
71 free(cp);
72 return NULL;
73 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]74
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]75 cp[n] = '\0';
76 BIO_free(bio);
77 return cp;
78}
79
80static void
81digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
82{
83 unsigned int i;
84
85 *str = malloc(dig_len * 3);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]86 if (!*str) {
87 ERRMEM;
88 return;
89 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]90 for (i = 0; i < dig_len - 1; ++i) {
91 sprintf((*str) + (i * 3), "%02x:", digest[i]);
92 }
93 sprintf((*str) + (i * 3), "%02x", digest[i]);
94}
95
96/* return NULL - SSL error can be retrieved */
97static X509 *
98base64der_to_cert(const char *in)
99{
100 X509 *out;
101 char *buf;
102 BIO *bio;
103
104 if (in == NULL) {
105 return NULL;
106 }
107
108 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
109 return NULL;
110 }
111 bio = BIO_new_mem_buf(buf, strlen(buf));
112 if (!bio) {
113 free(buf);
114 return NULL;
115 }
116
117 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
118 if (!out) {
119 free(buf);
120 BIO_free(bio);
121 return NULL;
122 }
123
124 free(buf);
125 BIO_free(bio);
126 return out;
127}
128
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]129static EVP_PKEY *
Michal Vaskoddce1212019-05-24 09:58:49 +0200[diff] [blame]130base64der_to_privatekey(const char *in, const char *key_str)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]131{
132 EVP_PKEY *out;
133 char *buf;
134 BIO *bio;
135
136 if (in == NULL) {
137 return NULL;
138 }
139
romand0fe5952024-03-21 15:59:33 +0100[diff] [blame]140 if (!key_str) {
141 /* avoid writing (null) for possibly unknown key formats */
142 key_str = "";
143 }
144 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN", key_str, "PRIVATE KEY-----\n", in, "\n-----END",
145 key_str, "PRIVATE KEY-----") == -1) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]146 return NULL;
147 }
148 bio = BIO_new_mem_buf(buf, strlen(buf));
149 if (!bio) {
150 free(buf);
151 return NULL;
152 }
153
154 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
155 if (!out) {
156 free(buf);
157 BIO_free(bio);
158 return NULL;
159 }
160
161 free(buf);
162 BIO_free(bio);
163 return out;
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]164}
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]165
166static int
167cert_pubkey_match(X509 *cert1, X509 *cert2)
168{
169 ASN1_BIT_STRING *bitstr1, *bitstr2;
170
171 bitstr1 = X509_get0_pubkey_bitstr(cert1);
172 bitstr2 = X509_get0_pubkey_bitstr(cert2);
173
174 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
175 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
176 return 0;
177 }
178
179 return 1;
180}
181
182static int
183nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
184{
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]185 STACK_OF(GENERAL_NAME) * san_names;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]186 GENERAL_NAME *san_name;
187 ASN1_OCTET_STRING *ip;
188 int i, san_count;
189 char *subject, *common_name;
190
Michal Vaskod9a78642022-02-24 16:25:21 +0100[diff] [blame]191 *username = NULL;
192
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]193 if (map_type == NC_TLS_CTN_COMMON_NAME) {
194 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
195 common_name = strstr(subject, "CN=");
196 if (!common_name) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]197 WRN(NULL, "Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]198 free(subject);
199 return 1;
200 }
201 common_name += 3;
202 if (strchr(common_name, '/')) {
203 *strchr(common_name, '/') = '\0';
204 }
205 *username = strdup(common_name);
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]206 NC_CHECK_ERRMEM_RET(!*username, 1);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]207 free(subject);
208 } else {
209 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
210 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
211 if (!san_names) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]212 WRN(NULL, "Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]213 return 1;
214 }
215
216 san_count = sk_GENERAL_NAME_num(san_names);
217 for (i = 0; i < san_count; ++i) {
218 san_name = sk_GENERAL_NAME_value(san_names, i);
219
220 /* rfc822Name (email) */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]221 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_RFC822_NAME)) &&
222 (san_name->type == GEN_EMAIL)) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]223 *username = strdup((char *)ASN1_STRING_get0_data(san_name->d.rfc822Name));
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]224 NC_CHECK_ERRMEM_RET(!*username, 1);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]225 break;
226 }
227
228 /* dNSName */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]229 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_DNS_NAME)) &&
230 (san_name->type == GEN_DNS)) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]231 *username = strdup((char *)ASN1_STRING_get0_data(san_name->d.dNSName));
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]232 NC_CHECK_ERRMEM_RET(!*username, 1);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]233 break;
234 }
235
236 /* iPAddress */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]237 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_IP_ADDRESS)) &&
238 (san_name->type == GEN_IPADD)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]239 ip = san_name->d.iPAddress;
240 if (ip->length == 4) {
241 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]242 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]243 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
244 return -1;
245 }
246 break;
247 } else if (ip->length == 16) {
248 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
249 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
250 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
251 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]252 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]253 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
254 return -1;
255 }
256 break;
257 } else {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]258 WRN(NULL, "SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]259 }
260 }
261 }
262 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
263
Vitaly Kuzina3b66322021-08-26 12:33:43 +0300[diff] [blame]264 if (i == san_count) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]265 switch (map_type) {
266 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]267 WRN(NULL, "Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]268 break;
269 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]270 WRN(NULL, "Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]271 break;
272 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]273 WRN(NULL, "Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]274 break;
275 case NC_TLS_CTN_SAN_ANY:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]276 WRN(NULL, "Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]277 break;
278 default:
279 break;
280 }
281 return 1;
282 }
283 }
284
285 return 0;
286}
287
288/* return: 0 - OK, 1 - no match, -1 - error */
289static int
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]290nc_tls_cert_to_name(struct nc_session *session, struct nc_ctn *ctn_first, X509 *cert)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]291{
292 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
293 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]294 unsigned char *buf;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]295 unsigned int buf_len = 64;
296 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]297 struct nc_ctn *ctn;
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]298 NC_TLS_CTN_MAPTYPE map_type;
299 char *username = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]300
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]301 buf = malloc(buf_len);
302 NC_CHECK_ERRMEM_RET(!buf, -1);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]303
roman84473212023-10-12 16:29:17 +0200[diff] [blame]304 if (!session || !cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]305 free(buf);
306 return -1;
307 }
308
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]309 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]310 /* reset map_type */
311 map_type = NC_TLS_CTN_UNKNOWN;
312
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100[diff] [blame]313 /* first make sure the entry is valid */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]314 if (!ctn->map_type || ((ctn->map_type == NC_TLS_CTN_SPECIFIED) && !ctn->name)) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]315 VRB(session, "Cert verify CTN: entry with id %u not valid, skipping.", ctn->id);
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100[diff] [blame]316 continue;
317 }
318
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]319 /* if ctn has no fingerprint, it will match any certificate */
320 if (!ctn->fingerprint) {
321 map_type = ctn->map_type;
322
323 /* MD5 */
324 } else if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]325 if (!digest_md5) {
326 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]327 ERR(session, "Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]328 ret = -1;
329 goto cleanup;
330 }
331 digest_to_str(buf, buf_len, &digest_md5);
332 }
333
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]334 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]335 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]336 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]337 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]338 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]339 free(digest_md5);
340 digest_md5 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]341
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]342 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]343 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]344 if (!digest_sha1) {
345 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]346 ERR(session, "Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]347 ret = -1;
348 goto cleanup;
349 }
350 digest_to_str(buf, buf_len, &digest_sha1);
351 }
352
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]353 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]354 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]355 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]356 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]357 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]358 free(digest_sha1);
359 digest_sha1 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]360
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]361 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]362 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]363 if (!digest_sha224) {
364 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]365 ERR(session, "Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]366 ret = -1;
367 goto cleanup;
368 }
369 digest_to_str(buf, buf_len, &digest_sha224);
370 }
371
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]372 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]373 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]374 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]375 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]376 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]377 free(digest_sha224);
378 digest_sha224 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]379
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]380 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]381 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]382 if (!digest_sha256) {
383 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]384 ERR(session, "Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]385 ret = -1;
386 goto cleanup;
387 }
388 digest_to_str(buf, buf_len, &digest_sha256);
389 }
390
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]391 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]392 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]393 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]394 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]395 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]396 free(digest_sha256);
397 digest_sha256 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]398
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]399 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]400 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]401 if (!digest_sha384) {
402 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]403 ERR(session, "Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]404 ret = -1;
405 goto cleanup;
406 }
407 digest_to_str(buf, buf_len, &digest_sha384);
408 }
409
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]410 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]411 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]412 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]413 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]414 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]415 free(digest_sha384);
416 digest_sha384 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]417
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]418 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]419 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]420 if (!digest_sha512) {
421 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]422 ERR(session, "Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]423 ret = -1;
424 goto cleanup;
425 }
426 digest_to_str(buf, buf_len, &digest_sha512);
427 }
428
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]429 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]430 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]431 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]432 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]433 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]434 free(digest_sha512);
435 digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]436
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]437 /* unknown */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]438 } else {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]439 WRN(session, "Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]440 continue;
441 }
442
443 if (map_type != NC_TLS_CTN_UNKNOWN) {
444 /* found a fingerprint match */
445 if (map_type == NC_TLS_CTN_SPECIFIED) {
446 /* specified -> get username from the ctn entry */
447 session->username = strdup(ctn->name);
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]448 NC_CHECK_ERRMEM_GOTO(!session->username, ret = -1, cleanup);
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]449 } else {
450 /* try to get the username from the cert with this ctn's map type */
451 ret = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &username);
452 if (ret == -1) {
453 /* fatal error */
454 goto cleanup;
455 } else if (ret) {
456 /* didn't get username, try next ctn entry */
457 continue;
458 }
459
460 /* success */
461 session->username = username;
462 }
463
464 /* matching fingerprint found and username obtained, success */
465 ret = 0;
466 goto cleanup;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]467 }
468 }
469
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]470 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]471 ret = 1;
472 }
473
474cleanup:
475 free(digest_md5);
476 free(digest_sha1);
477 free(digest_sha224);
478 free(digest_sha256);
479 free(digest_sha384);
480 free(digest_sha512);
481 free(buf);
482 return ret;
483}
484
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]485static int
486nc_server_tls_check_crl(X509_STORE *crl_store, X509_STORE_CTX *x509_ctx, X509 *cert,
487 const X509_NAME *subject, const X509_NAME *issuer)
488{
489 int n, i, ret = 0;
490 X509_STORE_CTX *store_ctx = NULL;
491 X509_OBJECT *obj = NULL;
492 X509_CRL *crl;
493 X509_REVOKED *revoked;
494 EVP_PKEY *pubkey;
495 const ASN1_INTEGER *serial;
496 const ASN1_TIME *last_update = NULL, *next_update = NULL;
497 char *cp;
498
499 store_ctx = X509_STORE_CTX_new();
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]500 NC_CHECK_ERRMEM_GOTO(!store_ctx, ret = -1, cleanup);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]501
502 /* init store context */
503 ret = X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
504 if (!ret) {
505 ERR(NULL, "Initializing x509 store ctx failed (%s).", ERR_reason_error_string(ERR_get_error()));
506 ret = -1;
507 goto cleanup;
508 }
509 ret = 0;
510
511 /* try to find a CRL entry that corresponds to the current certificate in question */
512 obj = X509_STORE_CTX_get_obj_by_subject(store_ctx, X509_LU_CRL, subject);
513 crl = X509_OBJECT_get0_X509_CRL(obj);
514 X509_OBJECT_free(obj);
515 if (crl) {
516 /* found it */
517 cp = X509_NAME_oneline(subject, NULL, 0);
518 VRB(NULL, "Cert verify CRL: issuer: %s.", cp);
519 OPENSSL_free(cp);
520
521 last_update = X509_CRL_get0_lastUpdate(crl);
522 next_update = X509_CRL_get0_nextUpdate(crl);
523 cp = asn1time_to_str(last_update);
524 VRB(NULL, "Cert verify CRL: last update: %s.", cp);
525 free(cp);
526 cp = asn1time_to_str(next_update);
527 VRB(NULL, "Cert verify CRL: next update: %s.", cp);
528 free(cp);
529
530 /* verify the signature on this CRL */
531 pubkey = X509_get0_pubkey(cert);
532 if (X509_CRL_verify(crl, pubkey) <= 0) {
533 ERR(NULL, "Cert verify CRL: invalid signature.");
534 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
535 ret = -1;
536 goto cleanup;
537 }
538
539 /* check date of CRL to make sure it's not expired */
540 if (!next_update) {
541 ERR(NULL, "Cert verify CRL: invalid nextUpdate field.");
542 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
543 ret = -1;
544 goto cleanup;
545 }
546
547 if (X509_cmp_current_time(next_update) < 0) {
548 ERR(NULL, "Cert verify CRL: expired - revoking all certificates.");
549 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
550 ret = -1;
551 goto cleanup;
552 }
553 }
554
555 /* try to retrieve a CRL corresponding to the _issuer_ of
556 * the current certificate in order to check for revocation */
557 obj = X509_STORE_CTX_get_obj_by_subject(store_ctx, X509_LU_CRL, issuer);
558 crl = X509_OBJECT_get0_X509_CRL(obj);
559 if (crl) {
560 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
561 for (i = 0; i < n; i++) {
562 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
563 serial = X509_REVOKED_get0_serialNumber(revoked);
564 if (ASN1_INTEGER_cmp(serial, X509_get_serialNumber(cert)) == 0) {
565 cp = X509_NAME_oneline(issuer, NULL, 0);
566 ERR(NULL, "Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.",
567 serial, serial, cp);
568 OPENSSL_free(cp);
569 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
570 ret = -1;
571 goto cleanup;
572 }
573 }
574 }
575
576cleanup:
577 X509_STORE_CTX_free(store_ctx);
578 X509_OBJECT_free(obj);
579 return ret;
580}
581
582static int
583nc_server_tls_ts_ref_get_certs(const char *referenced_name, struct nc_certificate **certs, uint16_t *cert_count)
584{
585 uint16_t i;
586 struct nc_truststore *ts = &server_opts.truststore;
587
588 *certs = NULL;
589 *cert_count = 0;
590
591 /* lookup name */
592 for (i = 0; i < ts->cert_bag_count; i++) {
593 if (!strcmp(referenced_name, ts->cert_bags[i].name)) {
594 break;
595 }
596 }
597
598 if (i == ts->cert_bag_count) {
599 ERR(NULL, "Truststore entry \"%s\" not found.", referenced_name);
600 return -1;
601 }
602
603 *certs = ts->cert_bags[i].certs;
604 *cert_count = ts->cert_bags[i].cert_count;
605 return 0;
606}
607
608/* In case a CA chain verification failed an end-entity certificate must match.
609 * The meaning of local_or_referenced is that it states, which end-entity certificates to check
610 * (1 = current endpoint's, 2 = referenced endpoint's).
611 */
612static int
613nc_server_tls_do_preverify(struct nc_session *session, X509_STORE_CTX *x509_ctx, int local_or_referenced)
614{
615 X509_STORE *store;
616 struct nc_cert_grouping *ee_certs;
617 int i, ret;
618 X509 *cert;
619 struct nc_certificate *certs;
620 uint16_t cert_count;
621
622 store = X509_STORE_CTX_get0_store(x509_ctx);
623 if (!store) {
624 ERR(session, "Error getting store from context (%s).", ERR_reason_error_string(ERR_get_error()));
625 return -1;
626 }
627
628 /* get the data from the store */
629 ee_certs = X509_STORE_get_ex_data(store, local_or_referenced);
630 if (!ee_certs) {
631 ERR(session, "Error getting data from store (%s).", ERR_reason_error_string(ERR_get_error()));
632 return -1;
633 }
634
635 if (ee_certs->store == NC_STORE_LOCAL) {
636 /* local definition */
637 certs = ee_certs->certs;
638 cert_count = ee_certs->cert_count;
639 } else {
640 /* truststore reference */
641 if (nc_server_tls_ts_ref_get_certs(ee_certs->ts_ref, &certs, &cert_count)) {
642 ERR(NULL, "Error getting end-entity certificates from the truststore reference \"%s\".", ee_certs->ts_ref);
643 return -1;
644 }
645 }
646
647 for (i = 0; i < cert_count; i++) {
648 cert = base64der_to_cert(certs[i].data);
649 ret = cert_pubkey_match(session->opts.server.client_cert, cert);
650 X509_free(cert);
651 if (ret) {
652 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
653 * this callback will be called again with the same current certificate and preverify_ok == 1 */
654 VRB(session, "Cert verify: fail (%s), but the end-entity certificate is trusted, continuing.",
655 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
656 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
657 return 1;
658 }
659 }
660
661 return 0;
662}
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]663
664static int
665nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
666{
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]667 X509_NAME *subject;
668 X509_NAME *issuer;
669 X509 *cert;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]670 char *cp;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]671 X509_STORE *store;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]672
673 STACK_OF(X509) * cert_stack;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]674 struct nc_session *session;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]675 struct nc_server_tls_opts *opts;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]676 struct nc_endpt *referenced_endpt;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]677 int rc, depth;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]678
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]679 store = X509_STORE_CTX_get0_store(x509_ctx);
680 if (!store) {
681 ERR(NULL, "Error getting store from context (%s).", ERR_reason_error_string(ERR_get_error()));
682 return 0;
683 }
684
685 /* get session from the store */
686 session = X509_STORE_get_ex_data(store, 0);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]687 if (!session) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]688 ERR(session, "Error getting session from store (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]689 return 0;
690 }
691
692 opts = session->data;
693
694 /* get the last certificate, that is the peer (client) certificate */
695 if (!session->opts.server.client_cert) {
696 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
Andrew Langefeld62bc6712018-08-28 16:17:16 -0500[diff] [blame]697 session->opts.server.client_cert = sk_X509_value(cert_stack, 0);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]698 X509_up_ref(session->opts.server.client_cert);
699 sk_X509_pop_free(cert_stack, X509_free);
700 }
701
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]702 /* standard certificate verification failed, so an end-entity client cert must match to continue */
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]703 if (!preverify_ok) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]704 /* check current endpoint's end-entity certs */
705 rc = nc_server_tls_do_preverify(session, x509_ctx, 1);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]706 if (rc == -1) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]707 return 0;
708 } else if (rc == 1) {
709 return 1;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]710 }
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]711
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]712 /* no match, continue */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]713 if (opts->referenced_endpt_name) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]714 /* check referenced endpoint's end-entity certs */
715 rc = nc_server_tls_do_preverify(session, x509_ctx, 2);
716 if (rc == -1) {
717 return 0;
718 } else if (rc == 1) {
719 return 1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]720 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]721 }
722
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]723 /* no match, fail */
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]724 ERR(session, "Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]725 return 0;
726 }
727
728 /* print cert verify info */
729 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]730 VRB(session, "Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]731
732 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
733 subject = X509_get_subject_name(cert);
734 issuer = X509_get_issuer_name(cert);
735
736 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]737 VRB(session, "Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]738 OPENSSL_free(cp);
739 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]740 VRB(session, "Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]741 OPENSSL_free(cp);
742
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]743 /* check if the current certificate is revoked if CRL is set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]744 if (opts->crl_store) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]745 rc = nc_server_tls_check_crl(opts->crl_store, x509_ctx, cert, subject, issuer);
746 if (rc) {
747 return 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]748 }
749 }
750
751 /* cert-to-name already successful */
752 if (session->username) {
753 return 1;
754 }
755
756 /* cert-to-name */
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]757 rc = nc_tls_cert_to_name(session, opts->ctn, cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]758 if (rc == -1) {
759 /* fatal error */
760 depth = 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]761 goto fail;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]762 } else if ((rc == 1) && !opts->referenced_endpt_name) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]763 /* no match found and no referenced endpoint */
764 goto fail;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]765 } else if ((rc == 1) && opts->referenced_endpt_name) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]766 /* no match found, but has a referenced endpoint so try it */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]767 if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
768 /* fatal error */
769 ERRINT;
770 depth = 0;
771 goto fail;
772 }
773
774 rc = nc_tls_cert_to_name(session, referenced_endpt->opts.tls->ctn, cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]775 if (rc) {
776 if (rc == -1) {
777 /* fatal error */
778 depth = 0;
779 }
780 /* rc == 1 is a normal CTN fail (no match found) */
781 goto fail;
782 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]783 }
784
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]785 VRB(session, "Cert verify CTN: new client username recognized as \"%s\".", session->username);
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]786
787 if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]788 VRB(session, "Cert verify: user verify callback revoked authorization.");
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]789 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
790 return 0;
791 }
792
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]793 return 1;
794
795fail:
796 if (depth > 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]797 VRB(session, "Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]798 return 1;
799 }
800
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]801 VRB(session, "Cert-to-name unsuccessful, dropping the new client.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]802 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
803 return 0;
804}
805
Michal Vasko709598e2016-11-28 14:48:32 +0100[diff] [blame]806API const X509 *
807nc_session_get_client_cert(const struct nc_session *session)
808{
809 if (!session || (session->side != NC_SERVER)) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]810 ERRARG(session, "session");
Michal Vasko709598e2016-11-28 14:48:32 +0100[diff] [blame]811 return NULL;
812 }
813
814 return session->opts.server.client_cert;
815}
816
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]817API void
818nc_server_tls_set_verify_clb(int (*verify_clb)(const struct nc_session *session))
819{
820 server_opts.user_verify_clb = verify_clb;
821}
822
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]823static int
824nc_server_tls_ks_ref_get_cert_key(const char *referenced_key_name, const char *referenced_cert_name,
825 char **privkey_data, NC_PRIVKEY_FORMAT *privkey_type, char **cert_data)
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]826{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]827 uint16_t i, j;
828 struct nc_keystore *ks = &server_opts.keystore;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]829
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]830 *privkey_data = NULL;
831 *cert_data = NULL;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]832
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]833 /* lookup name */
834 for (i = 0; i < ks->asym_key_count; i++) {
835 if (!strcmp(referenced_key_name, ks->asym_keys[i].name)) {
836 break;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]837 }
838 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]839 if (i == ks->asym_key_count) {
840 ERR(NULL, "Keystore entry \"%s\" not found.", referenced_key_name);
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]841 return -1;
842 }
843
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]844 for (j = 0; j < ks->asym_keys[i].cert_count; j++) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]845 if (!strcmp(referenced_cert_name, ks->asym_keys[i].certs[j].name)) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]846 break;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]847 }
848 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]849 if (j == ks->asym_keys[i].cert_count) {
850 ERR(NULL, "Keystore certificate entry \"%s\" associated with the key \"%s\" not found.",
851 referenced_cert_name, referenced_key_name);
852 return -1;
853 }
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]854
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]855 *privkey_data = ks->asym_keys[i].privkey_data;
856 *privkey_type = ks->asym_keys[i].privkey_type;
857 *cert_data = ks->asym_keys[i].certs[j].data;
858 return 0;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]859}
860
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]861static int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]862nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]863{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]864 char *privkey_data = NULL, *cert_data = NULL;
Michal Vaskoddce1212019-05-24 09:58:49 +0200[diff] [blame]865 int ret = 0;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]866 NC_PRIVKEY_FORMAT privkey_type;
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]867 X509 *cert = NULL;
868 EVP_PKEY *pkey = NULL;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]869
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]870 NC_CHECK_ARG_RET(NULL, tls_ctx, opts, -1);
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]871
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]872 /* get data needed for setting the server cert */
873 if (opts->store == NC_STORE_LOCAL) {
874 /* local definition */
875 cert_data = opts->cert_data;
876 privkey_data = opts->privkey_data;
877 privkey_type = opts->privkey_type;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]878 } else {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]879 /* keystore */
880 ret = nc_server_tls_ks_ref_get_cert_key(opts->key_ref, opts->cert_ref, &privkey_data, &privkey_type, &cert_data);
881 if (ret) {
882 ERR(NULL, "Getting server certificate from the keystore reference \"%s\" failed.", opts->key_ref);
883 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]884 }
885 }
romana55fee02024-03-21 16:00:48 +0100[diff] [blame]886 if (!cert_data || !privkey_data) {
887 ERR(NULL, "Server certificate not configured.");
888 ret = -1;
889 goto cleanup;
890 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]891
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]892 /* load the cert */
893 cert = base64der_to_cert(cert_data);
894 if (!cert) {
895 ERR(NULL, "Converting certificate data to certificate format failed.");
896 ret = -1;
897 goto cleanup;
898 }
899
900 /* set server cert */
901 ret = SSL_CTX_use_certificate(tls_ctx, cert);
902 if (ret != 1) {
903 ERR(NULL, "Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
904 ret = -1;
905 goto cleanup;
906 }
907
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]908 /* load the private key */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]909 pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type));
910 if (!pkey) {
911 ERR(NULL, "Converting private key data to private key format failed.");
912 ret = -1;
913 goto cleanup;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]914 }
915
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]916 /* set server key */
917 ret = SSL_CTX_use_PrivateKey(tls_ctx, pkey);
918 if (ret != 1) {
919 ERR(NULL, "Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
920 ret = -1;
921 goto cleanup;
922 }
923
924 ret = 0;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]925
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]926cleanup:
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]927 X509_free(cert);
928 EVP_PKEY_free(pkey);
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]929 return ret;
930}
931
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]932static int
933tls_store_add_trusted_cert(X509_STORE *cert_store, const char *cert_data)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]934{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]935 X509 *cert;
936
937 cert = base64der_to_cert(cert_data);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]938
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]939 if (!cert) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]940 ERR(NULL, "Loading a trusted certificate (data \"%s\") failed (%s).", cert_data,
941 ERR_reason_error_string(ERR_get_error()));
942 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]943 }
944
945 /* add the trusted certificate */
946 if (X509_STORE_add_cert(cert_store, cert) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]947 ERR(NULL, "Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]948 X509_free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]949 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]950 }
951 X509_free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]952
953 return 0;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]954}
955
956static int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]957nc_tls_store_set_trusted_certs(X509_STORE *cert_store, struct nc_cert_grouping *ca_certs)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]958{
959 uint16_t i;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]960 struct nc_certificate *certs;
961 uint16_t cert_count;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]962
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]963 if (ca_certs->store == NC_STORE_LOCAL) {
964 /* local definition */
965 certs = ca_certs->certs;
966 cert_count = ca_certs->cert_count;
967 } else {
968 /* truststore */
969 if (nc_server_tls_ts_ref_get_certs(ca_certs->ts_ref, &certs, &cert_count)) {
970 ERR(NULL, "Error getting certificate-authority certificates from the truststore reference \"%s\".", ca_certs->ts_ref);
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]971 return -1;
972 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]973 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]974
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]975 for (i = 0; i < cert_count; i++) {
976 if (tls_store_add_trusted_cert(cert_store, certs[i].data)) {
977 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]978 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]979 }
980
981 return 0;
982}
983
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]984static int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]985nc_server_tls_crl_path(struct nc_session *session, const char *crl_path, X509_STORE *store)
986{
987 int ret = 0;
988 X509_CRL *crl = NULL;
989 FILE *f;
990
991 f = fopen(crl_path, "r");
992 if (!f) {
993 ERR(session, "Unable to open CRL file \"%s\".", crl_path);
994 return -1;
995 }
996
997 /* try DER first */
998 crl = d2i_X509_CRL_fp(f, NULL);
999 if (crl) {
1000 /* success */
1001 goto ok;
1002 }
1003
1004 /* DER failed, try PEM */
1005 rewind(f);
1006 crl = PEM_read_X509_CRL(f, NULL, NULL, NULL);
1007 if (!crl) {
1008 ERR(session, "Reading CRL from file \"%s\" failed.", crl_path);
1009 ret = -1;
1010 goto cleanup;
1011 }
1012
1013ok:
1014 ret = X509_STORE_add_crl(store, crl);
1015 if (!ret) {
1016 ERR(session, "Error adding CRL to store (%s).", ERR_reason_error_string(ERR_get_error()));
1017 ret = -1;
1018 goto cleanup;
1019 }
1020 /* ok */
1021 ret = 0;
1022
1023cleanup:
1024 fclose(f);
1025 X509_CRL_free(crl);
1026 return ret;
1027}
1028
1029static size_t
1030nc_server_tls_curl_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
1031{
1032 struct nc_curl_data *data;
1033
1034 size = nmemb;
1035
1036 data = (struct nc_curl_data *)userdata;
1037
1038 data->data = nc_realloc(data->data, data->size + size);
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]1039 NC_CHECK_ERRMEM_RET(!data->data, 0);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1040
1041 memcpy(&data->data[data->size], ptr, size);
1042 data->size += size;
1043
1044 return size;
1045}
1046
1047static int
1048nc_server_tls_curl_init(struct nc_session *session, CURL **handle, struct nc_curl_data *data)
1049{
1050 NC_CHECK_ARG_RET(session, handle, data, -1);
1051
1052 *handle = NULL;
1053
1054 *handle = curl_easy_init();
1055 if (!*handle) {
1056 ERR(session, "Initializing CURL failed.");
1057 return -1;
1058 }
1059
1060 if (curl_easy_setopt(*handle, CURLOPT_WRITEFUNCTION, nc_server_tls_curl_cb)) {
1061 ERR(session, "Setting curl callback failed.");
1062 return -1;
1063 }
1064
1065 if (curl_easy_setopt(*handle, CURLOPT_WRITEDATA, data)) {
1066 ERR(session, "Setting curl callback data failed.");
1067 return -1;
1068 }
1069
1070 return 0;
1071}
1072
1073static int
1074nc_server_tls_curl_fetch(struct nc_session *session, CURL *handle, const char *url)
1075{
1076 char err_buf[CURL_ERROR_SIZE];
1077
1078 /* set uri */
1079 if (curl_easy_setopt(handle, CURLOPT_URL, url)) {
1080 ERR(session, "Setting URI \"%s\" to download CRL from failed.", url);
1081 return -1;
1082 }
1083
1084 /* set err buf */
roman134783b2023-11-09 12:41:45 +0100[diff] [blame]1085 if (curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buf)) {
1086 ERR(session, "Setting CURL error buffer option failed.");
1087 return -1;
1088 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1089
1090 /* download */
1091 if (curl_easy_perform(handle)) {
1092 ERR(session, "Downloading CRL from \"%s\" failed (%s).", url, err_buf);
1093 return -1;
1094 }
1095
1096 return 0;
1097}
1098
1099static int
1100nc_server_tls_add_crl_to_store(struct nc_session *session, struct nc_curl_data *downloaded, X509_STORE *store)
1101{
1102 int ret = 0;
1103 X509_CRL *crl = NULL;
1104 BIO *bio = NULL;
1105
1106 /* try DER first */
1107 crl = d2i_X509_CRL(NULL, (const unsigned char **) &downloaded->data, downloaded->size);
1108 if (crl) {
1109 /* it was DER */
1110 goto ok;
1111 }
1112
1113 /* DER failed, try PEM next */
1114 bio = BIO_new_mem_buf(downloaded->data, downloaded->size);
1115 if (!bio) {
1116 ERR(session, "Creating new bio failed (%s).", ERR_reason_error_string(ERR_get_error()));
1117 ret = -1;
1118 goto cleanup;
1119 }
1120
1121 /* try to parse PEM from the downloaded data */
1122 crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
1123 if (!crl) {
1124 ERR(session, "Reading downloaded CRL failed (%s).", ERR_reason_error_string(ERR_get_error()));
1125 ret = -1;
1126 goto cleanup;
1127 }
1128
1129ok:
1130 /* we obtained the CRL, now add it to the CRL store */
1131 ret = X509_STORE_add_crl(store, crl);
1132 if (!ret) {
1133 ERR(session, "Error adding CRL to store (%s).", ERR_reason_error_string(ERR_get_error()));
1134 ret = -1;
1135 goto cleanup;
1136 }
1137 /* ok */
1138 ret = 0;
1139
1140cleanup:
1141 X509_CRL_free(crl);
1142 BIO_free(bio);
1143 return ret;
1144}
1145
1146static int
1147nc_server_tls_crl_url(struct nc_session *session, const char *url, X509_STORE *store)
1148{
1149 int ret = 0;
1150 CURL *handle = NULL;
1151 struct nc_curl_data downloaded = {0};
1152
1153 /* init curl */
1154 ret = nc_server_tls_curl_init(session, &handle, &downloaded);
1155 if (ret) {
1156 goto cleanup;
1157 }
1158
1159 VRB(session, "Downloading CRL from \"%s\".", url);
1160
1161 /* download the CRL */
1162 ret = nc_server_tls_curl_fetch(session, handle, url);
1163 if (ret) {
1164 goto cleanup;
1165 }
1166
1167 /* convert the downloaded data to CRL and add it to the store */
1168 ret = nc_server_tls_add_crl_to_store(session, &downloaded, store);
1169 if (ret) {
1170 goto cleanup;
1171 }
1172
1173cleanup:
1174 curl_easy_cleanup(handle);
1175 return ret;
1176}
1177
1178static int
1179nc_server_tls_crl_cert_ext(struct nc_session *session, X509_STORE *cert_store, X509_STORE *crl_store)
1180{
1181 int ret = 0, i, j, k, gtype;
1182 CURL *handle = NULL;
1183 struct nc_curl_data downloaded = {0};
1184
1185 STACK_OF(X509_OBJECT) * objs;
1186 X509_OBJECT *obj;
1187 X509 *cert;
1188
1189 STACK_OF(DIST_POINT) * dist_points;
1190 DIST_POINT *dist_point;
1191 GENERAL_NAMES *general_names;
1192 GENERAL_NAME *general_name;
1193 ASN1_STRING *asn_string_uri;
1194 const char *crl_distpoint_uri;
1195
1196 /* init curl */
1197 ret = nc_server_tls_curl_init(session, &handle, &downloaded);
1198 if (ret) {
1199 goto cleanup;
1200 }
1201
1202 /* treat all entries in the cert_store as X509_OBJECTs */
1203 objs = X509_STORE_get0_objects(cert_store);
1204 if (!objs) {
1205 ERR(session, "Getting certificates from store failed (%s).", ERR_reason_error_string(ERR_get_error()));
1206 ret = -1;
1207 goto cleanup;
1208 }
1209
1210 /* iterate over all the CAs */
1211 for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
1212 obj = sk_X509_OBJECT_value(objs, i);
1213 cert = X509_OBJECT_get0_X509(obj);
1214 if (!cert) {
1215 /* the object on this index was not a certificate */
1216 continue;
1217 }
1218
1219 /* get all the distribution points for this CA */
1220 dist_points = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
1221
1222 /* iterate over all the dist points (there can be multiple for a single cert) */
1223 for (j = 0; j < sk_DIST_POINT_num(dist_points); j++) {
1224 dist_point = sk_DIST_POINT_value(dist_points, j);
1225 if (!dist_point) {
1226 continue;
1227 }
1228 general_names = dist_point->distpoint->name.fullname;
1229
1230 /* iterate over all the GeneralesNames in the distribution point */
1231 for (k = 0; k < sk_GENERAL_NAME_num(general_names); k++) {
1232 general_name = sk_GENERAL_NAME_value(general_names, k);
1233 asn_string_uri = GENERAL_NAME_get0_value(general_name, &gtype);
1234
1235 /* check if the general name is a URI and has a valid length */
1236 if ((gtype != GEN_URI) || (ASN1_STRING_length(asn_string_uri) <= 6)) {
1237 continue;
1238 }
1239
1240 crl_distpoint_uri = (const char *) ASN1_STRING_get0_data(asn_string_uri);
1241
1242 VRB(session, "Downloading CRL from \"%s\".", crl_distpoint_uri);
1243
1244 /* download the CRL */
1245 ret = nc_server_tls_curl_fetch(session, handle, crl_distpoint_uri);
1246 if (ret) {
1247 /* failed to download the CRL from this entry, try th next */
1248 continue;
1249 }
1250
1251 /* convert the downloaded data to CRL and add it to the store */
1252 ret = nc_server_tls_add_crl_to_store(session, &downloaded, crl_store);
1253 if (ret) {
1254 goto cleanup;
1255 }
1256
1257 /* the CRL was downloaded, no need to download it again using different protocol */
1258 break;
1259 }
1260 }
1261 }
1262
1263cleanup:
1264 curl_easy_cleanup(handle);
1265 return ret;
1266}
1267
1268static int
1269nc_tls_store_set_crl(struct nc_session *session, struct nc_server_tls_opts *opts, X509_STORE *store)
1270{
1271 if (!opts->crl_store) {
1272 /* first call on this endpoint */
1273 opts->crl_store = X509_STORE_new();
roman124a4362023-10-26 15:36:22 +0200[diff] [blame]1274 NC_CHECK_ERRMEM_GOTO(!opts->crl_store, , fail);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1275 }
1276
1277 if (opts->crl_path) {
1278 if (nc_server_tls_crl_path(session, opts->crl_path, opts->crl_store)) {
1279 goto fail;
1280 }
1281 } else if (opts->crl_url) {
1282 if (nc_server_tls_crl_url(session, opts->crl_url, opts->crl_store)) {
1283 goto fail;
1284 }
1285 } else {
1286 if (nc_server_tls_crl_cert_ext(session, store, opts->crl_store)) {
1287 goto fail;
1288 }
1289 }
1290
1291 return 0;
1292
1293fail:
1294 return -1;
1295}
1296
1297static int
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1298nc_server_tls_accept_check(int accept_ret, struct nc_session *session)
1299{
1300 int verify;
1301
1302 /* check certificate verification result */
1303 verify = SSL_get_verify_result(session->ti.tls);
1304 switch (verify) {
1305 case X509_V_OK:
1306 if (accept_ret == 1) {
1307 VRB(session, "Client certificate verified.");
1308 }
1309 break;
1310 default:
1311 ERR(session, "Client certificate error (%s).", X509_verify_cert_error_string(verify));
1312 }
1313
1314 if (accept_ret != 1) {
1315 switch (SSL_get_error(session->ti.tls, accept_ret)) {
1316 case SSL_ERROR_SYSCALL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1317 ERR(session, "SSL accept failed (%s).", strerror(errno));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1318 break;
1319 case SSL_ERROR_SSL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1320 ERR(session, "SSL accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1321 break;
1322 default:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1323 ERR(session, "SSL accept failed.");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1324 break;
1325 }
1326 }
1327
1328 return accept_ret;
1329}
1330
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1331int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1332nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opts, int sock, int timeout)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1333{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1334 X509_STORE *cert_store;
1335 SSL_CTX *tls_ctx;
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1336 int ret;
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]1337 struct timespec ts_timeout;
Michal Vasko68dbc0f2024-03-12 11:53:01 +0100[diff] [blame]1338 struct nc_endpt *referenced_endpt = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1339
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1340 /* SSL_CTX */
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]1341 tls_ctx = SSL_CTX_new(TLS_server_method());
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1342
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1343 if (!tls_ctx) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]1344 ERR(session, "Failed to create TLS context.");
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1345 goto error;
1346 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1347
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1348 SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1349 if (nc_tls_ctx_set_server_cert_key(tls_ctx, opts)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1350 goto error;
1351 }
1352
1353 /* X509_STORE, managed (freed) with the context */
1354 cert_store = X509_STORE_new();
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1355 if (!cert_store) {
1356 ERR(session, "Creating certificate store failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]1357 goto error;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1358 }
1359
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]1360 /* store the session, retrieve it when needed */
1361 ret = X509_STORE_set_ex_data(cert_store, 0, session);
1362 if (!ret) {
1363 ERR(session, "Setting certificate store data failed (%s).", ERR_reason_error_string(ERR_get_error()));
1364 goto error;
1365 }
1366
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1367 /* set end-entity certs as cert store data, retrieve them if verification fails later */
1368 ret = X509_STORE_set_ex_data(cert_store, 1, &opts->ee_certs);
1369 if (!ret) {
1370 ERR(session, "Setting certificate store data failed (%s).", ERR_reason_error_string(ERR_get_error()));
1371 goto error;
1372 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1373
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1374 /* do the same for referenced endpoint's end entity certs */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]1375 if (opts->referenced_endpt_name) {
1376 if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
1377 ERRINT;
1378 goto error;
1379 }
1380
1381 ret = X509_STORE_set_ex_data(cert_store, 2, &referenced_endpt->opts.tls->ee_certs);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1382 if (!ret) {
1383 ERR(session, "Setting certificate store data failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1384 goto error;
1385 }
1386 }
1387
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1388 /* set store to the context */
1389 SSL_CTX_set_cert_store(tls_ctx, cert_store);
1390
1391 /* set certificate authority certs */
1392 if (nc_tls_store_set_trusted_certs(cert_store, &opts->ca_certs)) {
1393 goto error;
1394 }
1395
1396 /* set referenced endpoint's CA certs if set */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]1397 if (opts->referenced_endpt_name) {
1398 if (nc_tls_store_set_trusted_certs(cert_store, &referenced_endpt->opts.tls->ca_certs)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1399 goto error;
1400 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1401 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1402
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1403 /* set Certificate Revocation List if configured */
1404 if (opts->crl_path || opts->crl_url || opts->crl_cert_ext) {
1405 if (nc_tls_store_set_crl(session, opts, cert_store)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1406 goto error;
1407 }
1408 }
1409
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1410 session->ti_type = NC_TI_OPENSSL;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1411 session->ti.tls = SSL_new(tls_ctx);
1412
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]1413 /* context can be freed already, trusted certs must be freed manually */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1414 SSL_CTX_free(tls_ctx);
1415 tls_ctx = NULL;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1416
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1417 if (!session->ti.tls) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]1418 ERR(session, "Failed to create TLS structure from context.");
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1419 goto error;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1420 }
1421
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1422 /* set TLS versions for the current SSL session */
1423 if (opts->tls_versions) {
1424 if (!(opts->tls_versions & NC_TLS_VERSION_10)) {
1425 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1);
1426 }
1427 if (!(opts->tls_versions & NC_TLS_VERSION_11)) {
1428 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1_1);
1429 }
1430 if (!(opts->tls_versions & NC_TLS_VERSION_12)) {
1431 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1_2);
1432 }
1433 if (!(opts->tls_versions & NC_TLS_VERSION_13)) {
1434 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1_3);
1435 }
1436 }
1437
1438 /* set TLS cipher suites */
1439 if (opts->ciphers) {
1440 /* set for TLS1.2 and lower */
1441 SSL_set_cipher_list(session->ti.tls, opts->ciphers);
1442 /* set for TLS1.3 */
1443 SSL_set_ciphersuites(session->ti.tls, opts->ciphers);
1444 }
1445
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1446 SSL_set_fd(session->ti.tls, sock);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1447 sock = -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1448 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1449
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1450 if (timeout > -1) {
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]1451 nc_timeouttime_get(&ts_timeout, timeout);
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1452 }
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1453 while (((ret = SSL_accept(session->ti.tls)) == -1) && (SSL_get_error(session->ti.tls, ret) == SSL_ERROR_WANT_READ)) {
1454 usleep(NC_TIMEOUT_STEP);
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]1455 if ((timeout > -1) && (nc_timeouttime_cur_diff(&ts_timeout) < 1)) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1456 ERR(session, "SSL accept timeout.");
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]1457 return 0;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1458 }
1459 }
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1460 if (nc_server_tls_accept_check(ret, session) != 1) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1461 return -1;
1462 }
1463
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1464 return 1;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1465
1466error:
1467 if (sock > -1) {
1468 close(sock);
1469 }
1470 SSL_CTX_free(tls_ctx);
1471 return -1;
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1472}