Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / ade892d14fe3e2aae9d2711043e0ad5d46fa9e11 / . / src / session_client_tls.c
blob: f6435b1dc4e7fc394aa35fe5e3a9f3ab607b4a8e [file] [log] [blame]
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]1/**
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]2 * \file session_client_tls.c
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]3 * \author Radek Krejci <rkrejci@cesnet.cz>
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]4 * \author Michal Vasko <mvasko@cesnet.cz>
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]5 * \brief libnetconf2 - TLS specific session client transport functions
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]6 *
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]7 * This source is compiled only with libssl.
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]8 *
9 * Copyright (c) 2015 CESNET, z.s.p.o.
10 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]11 * This source code is licensed under BSD 3-Clause License (the "License").
12 * You may not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]14 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]15 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]16 */
17
18#include <assert.h>
19#include <errno.h>
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]20#include <string.h>
21#include <unistd.h>
22
23#include <libyang/libyang.h>
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]24#include <openssl/ossl_typ.h>
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]25#include <openssl/err.h>
Michal Vaskodae48322016-02-25 14:49:48 +0100[diff] [blame]26#include <openssl/x509.h>
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]27
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]28#include "session_client.h"
29#include "session_client_ch.h"
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]30#include "libnetconf.h"
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]31
Michal Vaskodaf9a092016-02-09 10:42:05 +0100[diff] [blame]32extern struct nc_client_opts client_opts;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]33static struct nc_client_tls_opts tls_opts;
34static struct nc_client_tls_opts tls_ch_opts;
35
36static int tlsauth_ch;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]37
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]38#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
39
40static int
41tlsauth_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
42{
43 X509_STORE_CTX *store_ctx;
44 X509_OBJECT *obj;
45 X509_NAME *subject, *issuer;
46 X509 *cert;
47 X509_CRL *crl;
48 X509_REVOKED *revoked;
49 EVP_PKEY *pubkey;
50 int i, n, rc;
51 const ASN1_TIME *next_update = NULL;
52 struct nc_client_tls_opts *opts;
53
54 if (!preverify_ok) {
55 return 0;
56 }
57
58 opts = (tlsauth_ch ? &tls_ch_opts : &tls_opts);
59
60 if (!opts->crl_store) {
61 /* nothing to check */
62 return 1;
63 }
64
65 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
66 subject = X509_get_subject_name(cert);
67 issuer = X509_get_issuer_name(cert);
68
69 /* try to retrieve a CRL corresponding to the _subject_ of
70 * the current certificate in order to verify it's integrity */
71 store_ctx = X509_STORE_CTX_new();
72 obj = X509_OBJECT_new();
73 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
74 rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
75 X509_STORE_CTX_free(store_ctx);
76 crl = X509_OBJECT_get0_X509_CRL(obj);
77 if (rc > 0 && crl) {
78 next_update = X509_CRL_get0_nextUpdate(crl);
79
80 /* verify the signature on this CRL */
81 pubkey = X509_get_pubkey(cert);
82 if (X509_CRL_verify(crl, pubkey) <= 0) {
83 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
84 X509_OBJECT_free(obj);
85 if (pubkey) {
86 EVP_PKEY_free(pubkey);
87 }
88 return 0; /* fail */
89 }
90 if (pubkey) {
91 EVP_PKEY_free(pubkey);
92 }
93
94 /* check date of CRL to make sure it's not expired */
95 if (!next_update) {
96 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
97 X509_OBJECT_free(obj);
98 return 0; /* fail */
99 }
100 if (X509_cmp_current_time(next_update) < 0) {
101 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
102 X509_OBJECT_free(obj);
103 return 0; /* fail */
104 }
105 X509_OBJECT_free(obj);
106 }
107
108 /* try to retrieve a CRL corresponding to the _issuer_ of
109 * the current certificate in order to check for revocation */
110 store_ctx = X509_STORE_CTX_new();
111 obj = X509_OBJECT_new();
112 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
113 rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
114 X509_STORE_CTX_free(store_ctx);
115 crl = X509_OBJECT_get0_X509_CRL(obj);
116 if (rc > 0 && crl) {
117 /* check if the current certificate is revoked by this CRL */
118 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
119 for (i = 0; i < n; i++) {
120 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
121 if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), X509_get_serialNumber(cert)) == 0) {
122 ERR("Certificate revoked!");
123 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
124 X509_OBJECT_free(obj);
125 return 0; /* fail */
126 }
127 }
128 X509_OBJECT_free(obj);
129 }
130
131 return 1; /* success */
132}
133
134#else
135
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]136static int
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]137tlsauth_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]138{
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]139 X509_STORE_CTX store_ctx;
140 X509_OBJECT obj;
141 X509_NAME *subject, *issuer;
142 X509 *cert;
143 X509_CRL *crl;
144 X509_REVOKED *revoked;
145 EVP_PKEY *pubkey;
146 int i, n, rc;
147 ASN1_TIME *next_update = NULL;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]148 struct nc_client_tls_opts *opts;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]149
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]150 if (!preverify_ok) {
151 return 0;
152 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]153
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]154 opts = (tlsauth_ch ? &tls_ch_opts : &tls_opts);
155
156 if (!opts->crl_store) {
157 /* nothing to check */
158 return 1;
159 }
160
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]161 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
162 subject = X509_get_subject_name(cert);
163 issuer = X509_get_issuer_name(cert);
164
165 /* try to retrieve a CRL corresponding to the _subject_ of
166 * the current certificate in order to verify it's integrity */
167 memset((char *)&obj, 0, sizeof obj);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]168 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]169 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
170 X509_STORE_CTX_cleanup(&store_ctx);
171 crl = obj.data.crl;
172 if (rc > 0 && crl) {
173 next_update = X509_CRL_get_nextUpdate(crl);
174
175 /* verify the signature on this CRL */
176 pubkey = X509_get_pubkey(cert);
177 if (X509_CRL_verify(crl, pubkey) <= 0) {
178 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
179 X509_OBJECT_free_contents(&obj);
180 if (pubkey) {
181 EVP_PKEY_free(pubkey);
182 }
183 return 0; /* fail */
184 }
185 if (pubkey) {
186 EVP_PKEY_free(pubkey);
187 }
188
189 /* check date of CRL to make sure it's not expired */
190 if (!next_update) {
191 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
192 X509_OBJECT_free_contents(&obj);
193 return 0; /* fail */
194 }
195 if (X509_cmp_current_time(next_update) < 0) {
196 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
197 X509_OBJECT_free_contents(&obj);
198 return 0; /* fail */
199 }
200 X509_OBJECT_free_contents(&obj);
201 }
202
203 /* try to retrieve a CRL corresponding to the _issuer_ of
204 * the current certificate in order to check for revocation */
205 memset((char *)&obj, 0, sizeof obj);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]206 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]207 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
208 X509_STORE_CTX_cleanup(&store_ctx);
209 crl = obj.data.crl;
210 if (rc > 0 && crl) {
211 /* check if the current certificate is revoked by this CRL */
212 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
213 for (i = 0; i < n; i++) {
214 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
215 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
216 ERR("Certificate revoked!");
217 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
218 X509_OBJECT_free_contents(&obj);
219 return 0; /* fail */
220 }
221 }
222 X509_OBJECT_free_contents(&obj);
223 }
224
225 return 1; /* success */
226}
227
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]228#endif
229
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]230static void
231_nc_client_tls_destroy_opts(struct nc_client_tls_opts *opts)
232{
233 free(opts->cert_path);
234 free(opts->key_path);
235 free(opts->ca_file);
236 free(opts->ca_dir);
237 SSL_CTX_free(opts->tls_ctx);
238
239 free(opts->crl_file);
240 free(opts->crl_dir);
241 X509_STORE_free(opts->crl_store);
242}
243
Michal Vaskob7558c52016-02-26 15:04:19 +0100[diff] [blame]244void
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]245nc_client_tls_destroy_opts(void)
246{
247 _nc_client_tls_destroy_opts(&tls_opts);
248 _nc_client_tls_destroy_opts(&tls_ch_opts);
249}
250
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]251static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]252_nc_client_tls_set_cert_key_paths(const char *client_cert, const char *client_key, struct nc_client_tls_opts *opts)
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]253{
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]254 if (!client_cert) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]255 ERRARG("client_cert");
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]256 return -1;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]257 }
258
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]259 free(opts->cert_path);
260 free(opts->key_path);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]261
Michal Vasko9db2a6f2016-02-01 13:26:03 +0100[diff] [blame]262 opts->cert_path = strdup(client_cert);
263 if (!opts->cert_path) {
264 ERRMEM;
265 return -1;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]266 }
267
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]268 if (client_key) {
269 opts->key_path = strdup(client_key);
Michal Vasko9db2a6f2016-02-01 13:26:03 +0100[diff] [blame]270 if (!opts->key_path) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]271 ERRMEM;
272 return -1;
273 }
274 } else {
275 opts->key_path = NULL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]276 }
277
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]278 opts->tls_ctx_change = 1;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]279
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]280 return 0;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]281}
282
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]283API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]284nc_client_tls_set_cert_key_paths(const char *client_cert, const char *client_key)
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]285{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]286 return _nc_client_tls_set_cert_key_paths(client_cert, client_key, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]287}
288
289API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]290nc_client_tls_ch_set_cert_key_paths(const char *client_cert, const char *client_key)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]291{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]292 return _nc_client_tls_set_cert_key_paths(client_cert, client_key, &tls_ch_opts);
293}
294
295static void
296_nc_client_tls_get_cert_key_paths(const char **client_cert, const char **client_key, struct nc_client_tls_opts *opts)
297{
298 if (!client_cert && !client_key) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]299 ERRARG("client_cert and client_key");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]300 return;
301 }
302
303 if (client_cert) {
304 *client_cert = opts->cert_path;
305 }
306 if (client_key) {
307 *client_key = opts->key_path;
308 }
309}
310
311API void
312nc_client_tls_get_cert_key_paths(const char **client_cert, const char **client_key)
313{
314 _nc_client_tls_get_cert_key_paths(client_cert, client_key, &tls_opts);
315}
316
317API void
318nc_client_tls_ch_get_cert_key_paths(const char **client_cert, const char **client_key)
319{
320 _nc_client_tls_get_cert_key_paths(client_cert, client_key, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]321}
322
323static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]324_nc_client_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_client_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]325{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]326 if (!ca_file && !ca_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]327 ERRARG("ca_file and ca_dir");
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]328 return -1;
329 }
330
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]331 free(opts->ca_file);
332 free(opts->ca_dir);
333
334 if (ca_file) {
335 opts->ca_file = strdup(ca_file);
336 if (!opts->ca_file) {
337 ERRMEM;
338 return -1;
339 }
340 } else {
341 opts->ca_file = NULL;
342 }
343
344 if (ca_dir) {
345 opts->ca_dir = strdup(ca_dir);
346 if (!opts->ca_dir) {
347 ERRMEM;
348 return -1;
349 }
350 } else {
351 opts->ca_dir = NULL;
352 }
353
354 opts->tls_ctx_change = 1;
355
356 return 0;
357}
358
359API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]360nc_client_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]361{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]362 return _nc_client_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]363}
364
365API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]366nc_client_tls_ch_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]367{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]368 return _nc_client_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
369}
370
371static void
372_nc_client_tls_get_trusted_ca_paths(const char **ca_file, const char **ca_dir, struct nc_client_tls_opts *opts)
373{
374 if (!ca_file && !ca_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]375 ERRARG("ca_file and ca_dir");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]376 return;
377 }
378
379 if (ca_file) {
380 *ca_file = opts->ca_file;
381 }
382 if (ca_dir) {
383 *ca_dir = opts->ca_dir;
384 }
385}
386
387API void
388nc_client_tls_get_trusted_ca_paths(const char **ca_file, const char **ca_dir)
389{
390 _nc_client_tls_get_trusted_ca_paths(ca_file, ca_dir, &tls_opts);
391}
392
393API void
394nc_client_tls_ch_get_trusted_ca_paths(const char **ca_file, const char **ca_dir)
395{
396 _nc_client_tls_get_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]397}
398
399static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]400_nc_client_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_client_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]401{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]402 if (!crl_file && !crl_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]403 ERRARG("crl_file and crl_dir");
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]404 return -1;
405 }
406
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]407 free(opts->crl_file);
408 free(opts->crl_dir);
409
410 if (crl_file) {
411 opts->crl_file = strdup(crl_file);
412 if (!opts->crl_file) {
413 ERRMEM;
414 return -1;
415 }
416 } else {
417 opts->crl_file = NULL;
418 }
419
420 if (crl_dir) {
421 opts->crl_dir = strdup(crl_dir);
422 if (!opts->crl_dir) {
423 ERRMEM;
424 return -1;
425 }
426 } else {
427 opts->crl_dir = NULL;
428 }
429
430 opts->crl_store_change = 1;
431
432 return 0;
433}
434
435API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]436nc_client_tls_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]437{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]438 return _nc_client_tls_set_crl_paths(crl_file, crl_dir, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]439}
440
441API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]442nc_client_tls_ch_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]443{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]444 return _nc_client_tls_set_crl_paths(crl_file, crl_dir, &tls_ch_opts);
445}
446
447static void
448_nc_client_tls_get_crl_paths(const char **crl_file, const char **crl_dir, struct nc_client_tls_opts *opts)
449{
450 if (!crl_file && !crl_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]451 ERRARG("crl_file and crl_dir");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]452 return;
453 }
454
455 if (crl_file) {
456 *crl_file = opts->crl_file;
457 }
458 if (crl_dir) {
459 *crl_dir = opts->crl_dir;
460 }
461}
462
463API void
464nc_client_tls_get_crl_paths(const char **crl_file, const char **crl_dir)
465{
466 _nc_client_tls_get_crl_paths(crl_file, crl_dir, &tls_opts);
467}
468
469API void
470nc_client_tls_ch_get_crl_paths(const char **crl_file, const char **crl_dir)
471{
472 _nc_client_tls_get_crl_paths(crl_file, crl_dir, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]473}
474
475API int
476nc_client_tls_ch_add_bind_listen(const char *address, uint16_t port)
477{
478 return nc_client_ch_add_bind_listen(address, port, NC_TI_OPENSSL);
479}
480
481API int
482nc_client_tls_ch_del_bind(const char *address, uint16_t port)
483{
484 return nc_client_ch_del_bind(address, port, NC_TI_OPENSSL);
485}
486
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]487static int
Michal Vaskoaf58cd92016-01-28 11:56:02 +0100[diff] [blame]488nc_client_tls_update_opts(struct nc_client_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]489{
490 char *key;
491 X509_LOOKUP *lookup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]492
493 if (!opts->tls_ctx || opts->tls_ctx_change) {
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]494 SSL_CTX_free(opts->tls_ctx);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]495
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]496#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
497 /* prepare global SSL context, highest available method is negotiated autmatically */
498 if (!(opts->tls_ctx = SSL_CTX_new(TLS_client_method())))
499#else
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]500 /* prepare global SSL context, allow only mandatory TLS 1.2 */
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]501 if (!(opts->tls_ctx = SSL_CTX_new(TLSv1_2_client_method())))
502#endif
503 {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]504 ERR("Unable to create OpenSSL context (%s).", ERR_reason_error_string(ERR_get_error()));
505 return -1;
506 }
507 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER, tlsauth_verify_callback);
508
509 /* get peer certificate */
510 if (SSL_CTX_use_certificate_file(opts->tls_ctx, opts->cert_path, SSL_FILETYPE_PEM) != 1) {
511 ERR("Loading the client certificate from \'%s\' failed (%s).", opts->cert_path, ERR_reason_error_string(ERR_get_error()));
512 return -1;
513 }
514
515 /* if the file with private key not specified, expect that the private key is stored with the certificate */
516 if (!opts->key_path) {
517 key = opts->cert_path;
518 } else {
519 key = opts->key_path;
520 }
521 if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) {
522 ERR("Loading the client priavte key from \'%s\' failed (%s).", key, ERR_reason_error_string(ERR_get_error()));
523 return -1;
524 }
525
526 if (!SSL_CTX_load_verify_locations(opts->tls_ctx, opts->ca_file, opts->ca_dir)) {
527 ERR("Failed to load the locations of trusted CA certificates (%s).", ERR_reason_error_string(ERR_get_error()));
528 return -1;
529 }
530 }
531
532 if (opts->crl_store_change || (!opts->crl_store && (opts->crl_file || opts->crl_dir))) {
533 /* set the revocation store with the correct paths for the callback */
534 X509_STORE_free(opts->crl_store);
535
536 opts->crl_store = X509_STORE_new();
537 if (!opts->crl_store) {
538 ERR("Unable to create a certificate store (%s).", ERR_reason_error_string(ERR_get_error()));
539 return -1;
540 }
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]541
542#if OPENSSL_VERSION_NUMBER < 0x10100000L // < 1.1.0
543 /* whaveter this does... */
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]544 opts->crl_store->cache = 0;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]545#endif
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]546
547 if (opts->crl_file) {
548 if (!(lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file()))) {
549 ERR("Failed to add lookup method to CRL checking.");
550 return -1;
551 }
552 if (X509_LOOKUP_add_dir(lookup, opts->crl_file, X509_FILETYPE_PEM) != 1) {
553 ERR("Failed to add the revocation lookup file \"%s\".", opts->crl_file);
554 return -1;
555 }
556 }
557
558 if (opts->crl_dir) {
559 if (!(lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir()))) {
560 ERR("Failed to add lookup method to CRL checking.");
561 return -1;
562 }
563 if (X509_LOOKUP_add_dir(lookup, opts->crl_dir, X509_FILETYPE_PEM) != 1) {
564 ERR("Failed to add the revocation lookup directory \"%s\".", opts->crl_dir);
565 return -1;
566 }
567 }
568 }
569
570 return 0;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]571}
572
573API struct nc_session *
Michal Vasko9bee18d2015-12-08 14:41:42 +0100[diff] [blame]574nc_connect_tls(const char *host, unsigned short port, struct ly_ctx *ctx)
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]575{
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]576 struct nc_session *session = NULL;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]577 int sock, verify, ret;
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]578 struct timespec ts_timeout, ts_cur;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]579
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]580 if (!tls_opts.cert_path || (!tls_opts.ca_file && !tls_opts.ca_dir)) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]581 ERRINIT;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]582 return NULL;
583 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]584
585 /* process parameters */
586 if (!host || strisempty(host)) {
587 host = "localhost";
588 }
589
590 if (!port) {
591 port = NC_PORT_TLS;
592 }
593
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]594 /* create/update TLS structures */
Michal Vaskoaf58cd92016-01-28 11:56:02 +0100[diff] [blame]595 if (nc_client_tls_update_opts(&tls_opts)) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]596 return NULL;
597 }
598
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]599 /* prepare session structure */
Michal Vaskoade892d2017-02-22 13:40:35 +0100[diff] [blame^]600 session = nc_new_session(0);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]601 if (!session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]602 ERRMEM;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]603 return NULL;
604 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]605 session->status = NC_STATUS_STARTING;
606 session->side = NC_CLIENT;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]607
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]608 /* transport lock */
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]609 pthread_mutex_init(session->ti_lock, NULL);
Michal Vaskoade892d2017-02-22 13:40:35 +0100[diff] [blame^]610 pthread_cond_init(session->ti_cond, NULL);
611 *session->ti_inuse = 0;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]612
613 /* fill the session */
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]614 session->ti_type = NC_TI_OPENSSL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]615 if (!(session->ti.tls = SSL_new(tls_opts.tls_ctx))) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]616 ERR("Failed to create a new TLS session structure (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]617 goto fail;
618 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]619
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]620 /* create and assign socket */
Michal Vaskof05562c2016-01-20 12:06:43 +0100[diff] [blame]621 sock = nc_sock_connect(host, port);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]622 if (sock == -1) {
Michal Vasko29af44b2016-10-13 10:59:55 +0200[diff] [blame]623 ERR("Unable to connect to %s:%u (%s).", host, port, strerror(errno));
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]624 goto fail;
625 }
626 SSL_set_fd(session->ti.tls, sock);
627
628 /* set the SSL_MODE_AUTO_RETRY flag to allow OpenSSL perform re-handshake automatically */
629 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
630
631 /* connect and perform the handshake */
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]632 nc_gettimespec(&ts_timeout);
633 nc_addtimespec(&ts_timeout, NC_TRANSPORT_TIMEOUT);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]634 tlsauth_ch = 0;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]635 while (((ret = SSL_connect(session->ti.tls)) == -1) && (SSL_get_error(session->ti.tls, ret) == SSL_ERROR_WANT_READ)) {
636 usleep(NC_TIMEOUT_STEP);
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]637 nc_gettimespec(&ts_cur);
638 if (nc_difftimespec(&ts_cur, &ts_timeout) < 1) {
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]639 ERR("SSL_connect timeout.");
640 goto fail;
641 }
642 }
643 if (ret != 1) {
644 switch (SSL_get_error(session->ti.tls, ret)) {
645 case SSL_ERROR_SYSCALL:
646 ERR("SSL_connect failed (%s).", strerror(errno));
647 break;
648 case SSL_ERROR_SSL:
649 ERR("SSL_connect failed (%s).", ERR_reason_error_string(ERR_get_error()));
650 break;
651 default:
652 ERR("SSL_connect failed.");
653 break;
654 }
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]655 goto fail;
656 }
657
658 /* check certificate verification result */
659 verify = SSL_get_verify_result(session->ti.tls);
660 switch (verify) {
661 case X509_V_OK:
662 VRB("Server certificate successfully verified.");
663 break;
664 default:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]665 WRN("Server certificate verification problem (%s).", X509_verify_cert_error_string(verify));
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]666 }
667
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]668 /* assign context (dicionary needed for handshake) */
669 if (!ctx) {
Michal Vaskodaf9a092016-02-09 10:42:05 +0100[diff] [blame]670 if (client_opts.schema_searchpath) {
671 ctx = ly_ctx_new(client_opts.schema_searchpath);
672 } else {
673 ctx = ly_ctx_new(SCHEMAS_DIR);
674 }
Michal Vaskoe035b8e2016-03-11 10:10:03 +0100[diff] [blame]675 /* definitely should not happen, but be ready */
676 if (!ctx && !(ctx = ly_ctx_new(NULL))) {
677 /* that's just it */
678 goto fail;
679 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]680 } else {
681 session->flags |= NC_SESSION_SHAREDCTX;
682 }
683 session->ctx = ctx;
684
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]685 /* NETCONF handshake */
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]686 if (nc_handshake(session) != NC_MSG_HELLO) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]687 goto fail;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]688 }
Michal Vaskoad611702015-12-03 13:41:51 +0100[diff] [blame]689 session->status = NC_STATUS_RUNNING;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]690
Michal Vaskoef578332016-01-25 13:20:09 +0100[diff] [blame]691 if (nc_ctx_check_and_fill(session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +0100[diff] [blame]692 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]693 }
694
695 /* store information into session and the dictionary */
696 session->host = lydict_insert(ctx, host, 0);
697 session->port = port;
Michal Vasko9bee18d2015-12-08 14:41:42 +0100[diff] [blame]698 session->username = lydict_insert(ctx, "certificate-based", 0);
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]699
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]700 return session;
701
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]702fail:
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100[diff] [blame]703 nc_session_free(session, NULL);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]704 return NULL;
705}
706
707API struct nc_session *
708nc_connect_libssl(SSL *tls, struct ly_ctx *ctx)
709{
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]710 struct nc_session *session;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]711
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]712 if (!tls) {
713 ERRARG("tls");
714 return NULL;
715 } else if (!SSL_is_init_finished(tls)) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]716 ERR("Supplied TLS session is not fully connected!");
717 return NULL;
718 }
719
720 /* prepare session structure */
Michal Vaskoade892d2017-02-22 13:40:35 +0100[diff] [blame^]721 session = nc_new_session(0);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]722 if (!session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]723 ERRMEM;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]724 return NULL;
725 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]726 session->status = NC_STATUS_STARTING;
727 session->side = NC_CLIENT;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]728
729 /* transport lock */
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]730 pthread_mutex_init(session->ti_lock, NULL);
Michal Vaskoade892d2017-02-22 13:40:35 +0100[diff] [blame^]731 pthread_cond_init(session->ti_cond, NULL);
732 *session->ti_inuse = 0;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]733
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]734 session->ti_type = NC_TI_OPENSSL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]735 session->ti.tls = tls;
736
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]737 /* assign context (dicionary needed for handshake) */
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]738 if (!ctx) {
Michal Vaskodaf9a092016-02-09 10:42:05 +0100[diff] [blame]739 if (client_opts.schema_searchpath) {
740 ctx = ly_ctx_new(client_opts.schema_searchpath);
741 } else {
742 ctx = ly_ctx_new(SCHEMAS_DIR);
743 }
Michal Vaskoe035b8e2016-03-11 10:10:03 +0100[diff] [blame]744 /* definitely should not happen, but be ready */
745 if (!ctx && !(ctx = ly_ctx_new(NULL))) {
746 /* that's just it */
747 goto fail;
748 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]749 } else {
750 session->flags |= NC_SESSION_SHAREDCTX;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]751 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]752 session->ctx = ctx;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]753
754 /* NETCONF handshake */
Michal Vasko71090fc2016-05-24 16:37:28 +0200[diff] [blame]755 if (nc_handshake(session) != NC_MSG_HELLO) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]756 goto fail;
757 }
Michal Vaskoad611702015-12-03 13:41:51 +0100[diff] [blame]758 session->status = NC_STATUS_RUNNING;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]759
Michal Vaskoef578332016-01-25 13:20:09 +0100[diff] [blame]760 if (nc_ctx_check_and_fill(session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +0100[diff] [blame]761 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]762 }
763
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]764 return session;
765
766fail:
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100[diff] [blame]767 nc_session_free(session, NULL);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]768 return NULL;
769}
770
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]771struct nc_session *
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]772nc_accept_callhome_tls_sock(int sock, const char *host, uint16_t port, struct ly_ctx *ctx, int timeout)
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]773{
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]774 int verify, ret;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]775 SSL *tls;
776 struct nc_session *session;
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]777 struct timespec ts_timeout, ts_cur;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]778
Michal Vaskoaf58cd92016-01-28 11:56:02 +0100[diff] [blame]779 if (nc_client_tls_update_opts(&tls_ch_opts)) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]780 close(sock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]781 return NULL;
782 }
783
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]784 if (!(tls = SSL_new(tls_ch_opts.tls_ctx))) {
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]785 ERR("Failed to create new TLS session structure (%s).", ERR_reason_error_string(ERR_get_error()));
786 close(sock);
787 return NULL;
788 }
789
790 SSL_set_fd(tls, sock);
791
792 /* set the SSL_MODE_AUTO_RETRY flag to allow OpenSSL perform re-handshake automatically */
793 SSL_set_mode(tls, SSL_MODE_AUTO_RETRY);
794
795 /* connect and perform the handshake */
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]796 if (timeout > -1) {
797 nc_gettimespec(&ts_timeout);
798 nc_addtimespec(&ts_timeout, timeout);
799 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]800 tlsauth_ch = 1;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]801 while (((ret = SSL_connect(tls)) == -1) && (SSL_get_error(tls, ret) == SSL_ERROR_WANT_READ)) {
802 usleep(NC_TIMEOUT_STEP);
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]803 if (timeout > -1) {
804 nc_gettimespec(&ts_cur);
805 if (nc_difftimespec(&ts_cur, &ts_timeout) < 1) {
806 ERR("SSL_connect timeout.");
807 SSL_free(tls);
808 return NULL;
809 }
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]810 }
811 }
812 if (ret != 1) {
813 switch (SSL_get_error(tls, ret)) {
814 case SSL_ERROR_SYSCALL:
815 ERR("SSL_connect failed (%s).", strerror(errno));
816 break;
817 case SSL_ERROR_SSL:
818 ERR("SSL_connect failed (%s).", ERR_reason_error_string(ERR_get_error()));
819 break;
820 default:
821 ERR("SSL_connect failed.");
822 break;
823 }
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]824 SSL_free(tls);
825 return NULL;
826 }
827
828 /* check certificate verification result */
829 verify = SSL_get_verify_result(tls);
830 switch (verify) {
831 case X509_V_OK:
832 VRB("Server certificate successfully verified.");
833 break;
834 default:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]835 WRN("Server certificate verification problem (%s).", X509_verify_cert_error_string(verify));
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]836 }
837
838 session = nc_connect_libssl(tls, ctx);
839 if (session) {
Michal Vasko4282fae2016-02-18 10:03:42 +0100[diff] [blame]840 session->flags |= NC_SESSION_CALLHOME;
841
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]842 /* store information into session and the dictionary */
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]843 session->host = lydict_insert(session->ctx, host, 0);
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]844 session->port = port;
845 session->username = lydict_insert(session->ctx, "certificate-based", 0);
846 }
847
848 return session;
849}