blob: ecfa9ce6c8e3a31d36eba3f5486f6e56461719d0 [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +02001/**
Michal Vasko95ea9ff2021-11-09 12:29:14 +01002 * @file session_server_tls.c
3 * @author Michal Vasko <mvasko@cesnet.cz>
4 * @brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +02005 *
Michal Vasko95ea9ff2021-11-09 12:29:14 +01006 * @copyright
7 * Copyright (c) 2015 - 2021 CESNET, z.s.p.o.
Radek Krejci5da708a2015-09-01 17:33:23 +02008 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +01009 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +010012 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +010013 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci5da708a2015-09-01 17:33:23 +020014 */
15
Michal Vaskoc14e3c82016-01-11 16:14:30 +010016#define _GNU_SOURCE
17
Michal Vaskoc14e3c82016-01-11 16:14:30 +010018#include <poll.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +020019#include <string.h>
Michal Vaskof0537d82016-01-29 14:42:38 +010020#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +010021
Michal Vaskoc14e3c82016-01-11 16:14:30 +010022#include <openssl/err.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +020023#include <openssl/evp.h>
24#include <openssl/ssl.h>
Michal Vaskoe2713da2016-08-22 16:06:40 +020025#include <openssl/x509.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +020026#include <openssl/x509v3.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +010027
Michal Vasko316c9632020-04-15 11:06:57 +020028#include "compat.h"
Michal Vaskob83a3fa2021-05-26 09:53:42 +020029#include "libnetconf.h"
Michal Vasko11d142a2016-01-19 15:58:24 +010030#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +010031#include "session_server_ch.h"
Radek Krejci5da708a2015-09-01 17:33:23 +020032
Rosen Penev4f552d62019-06-26 16:10:43 -070033#if OPENSSL_VERSION_NUMBER < 0x10100000L
34#define X509_STORE_CTX_get_by_subject X509_STORE_get_by_subject
35#endif
36
Michal Vasko3031aae2016-01-27 16:07:18 +010037struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +010038pthread_mutex_t tls_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vaskoc14e3c82016-01-11 16:14:30 +010039extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +010040
Michal Vasko5c2f7952016-01-22 13:16:31 +010041static pthread_key_t verify_key;
42static pthread_once_t verify_once = PTHREAD_ONCE_INIT;
43
Michal Vaskoc14e3c82016-01-11 16:14:30 +010044static char *
Michal Vasko18aeb5d2017-02-17 09:23:56 +010045asn1time_to_str(const ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +010046{
Michal Vaskoc14e3c82016-01-11 16:14:30 +010047 char *cp;
48 BIO *bio;
49 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +020050
Michal Vaskoc14e3c82016-01-11 16:14:30 +010051 if (!t) {
52 return NULL;
53 }
54 bio = BIO_new(BIO_s_mem());
55 if (!bio) {
56 return NULL;
57 }
58 ASN1_TIME_print(bio, t);
59 n = BIO_pending(bio);
60 cp = malloc(n + 1);
Michal Vasko4eb3c312016-03-01 14:09:37 +010061 if (!cp) {
62 ERRMEM;
63 BIO_free(bio);
64 return NULL;
65 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +010066 n = BIO_read(bio, cp, n);
67 if (n < 0) {
68 BIO_free(bio);
69 free(cp);
70 return NULL;
71 }
72 cp[n] = '\0';
73 BIO_free(bio);
74 return cp;
75}
76
77static void
78digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
79{
80 unsigned int i;
81
82 *str = malloc(dig_len * 3);
Michal Vasko4eb3c312016-03-01 14:09:37 +010083 if (!*str) {
84 ERRMEM;
85 return;
86 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +010087 for (i = 0; i < dig_len - 1; ++i) {
88 sprintf((*str) + (i * 3), "%02x:", digest[i]);
89 }
90 sprintf((*str) + (i * 3), "%02x", digest[i]);
91}
92
93/* return NULL - SSL error can be retrieved */
94static X509 *
95base64der_to_cert(const char *in)
96{
97 X509 *out;
98 char *buf;
99 BIO *bio;
100
101 if (in == NULL) {
102 return NULL;
103 }
104
105 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
106 return NULL;
107 }
108 bio = BIO_new_mem_buf(buf, strlen(buf));
109 if (!bio) {
110 free(buf);
111 return NULL;
112 }
113
114 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
115 if (!out) {
116 free(buf);
117 BIO_free(bio);
118 return NULL;
119 }
120
121 free(buf);
122 BIO_free(bio);
123 return out;
124}
125
126/* return NULL - either errno or SSL error */
127static X509 *
128pem_to_cert(const char *path)
129{
130 FILE *fp;
131 X509 *out;
132
133 fp = fopen(path, "r");
134 if (!fp) {
135 return NULL;
136 }
137
138 out = PEM_read_X509(fp, NULL, NULL, NULL);
139 fclose(fp);
140 return out;
141}
142
Michal Vasko6e08cb72017-02-02 11:15:29 +0100143static EVP_PKEY *
Michal Vaskoddce1212019-05-24 09:58:49 +0200144base64der_to_privatekey(const char *in, const char *key_str)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100145{
146 EVP_PKEY *out;
147 char *buf;
148 BIO *bio;
149
150 if (in == NULL) {
151 return NULL;
152 }
153
Michal Vaskoddce1212019-05-24 09:58:49 +0200154 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", key_str, " PRIVATE KEY-----\n", in, "\n-----END ",
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200155 key_str, " PRIVATE KEY-----") == -1) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100156 return NULL;
157 }
158 bio = BIO_new_mem_buf(buf, strlen(buf));
159 if (!bio) {
160 free(buf);
161 return NULL;
162 }
163
164 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
165 if (!out) {
166 free(buf);
167 BIO_free(bio);
168 return NULL;
169 }
170
171 free(buf);
172 BIO_free(bio);
173 return out;
Michal Vasko6e08cb72017-02-02 11:15:29 +0100174}
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100175
176static int
177cert_pubkey_match(X509 *cert1, X509 *cert2)
178{
179 ASN1_BIT_STRING *bitstr1, *bitstr2;
180
181 bitstr1 = X509_get0_pubkey_bitstr(cert1);
182 bitstr2 = X509_get0_pubkey_bitstr(cert2);
183
184 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
185 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
186 return 0;
187 }
188
189 return 1;
190}
191
192static int
193nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
194{
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200195 STACK_OF(GENERAL_NAME) * san_names;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100196 GENERAL_NAME *san_name;
197 ASN1_OCTET_STRING *ip;
198 int i, san_count;
199 char *subject, *common_name;
200
201 if (map_type == NC_TLS_CTN_COMMON_NAME) {
202 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
203 common_name = strstr(subject, "CN=");
204 if (!common_name) {
Michal Vasko05532772021-06-03 12:12:38 +0200205 WRN(NULL, "Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100206 free(subject);
207 return 1;
208 }
209 common_name += 3;
210 if (strchr(common_name, '/')) {
211 *strchr(common_name, '/') = '\0';
212 }
213 *username = strdup(common_name);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100214 if (!*username) {
215 ERRMEM;
216 return 1;
217 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100218 free(subject);
219 } else {
220 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
221 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
222 if (!san_names) {
Michal Vasko05532772021-06-03 12:12:38 +0200223 WRN(NULL, "Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100224 return 1;
225 }
226
227 san_count = sk_GENERAL_NAME_num(san_names);
228 for (i = 0; i < san_count; ++i) {
229 san_name = sk_GENERAL_NAME_value(san_names, i);
230
231 /* rfc822Name (email) */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200232 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_RFC822_NAME)) &&
233 (san_name->type == GEN_EMAIL)) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100234#if OPENSSL_VERSION_NUMBER < 0x10100000L // < 1.1.0
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100235 *username = strdup((char *)ASN1_STRING_data(san_name->d.rfc822Name));
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100236#else
237 *username = strdup((char *)ASN1_STRING_get0_data(san_name->d.rfc822Name));
238#endif
Michal Vasko4eb3c312016-03-01 14:09:37 +0100239 if (!*username) {
240 ERRMEM;
241 return 1;
242 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100243 break;
244 }
245
246 /* dNSName */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200247 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_DNS_NAME)) &&
248 (san_name->type == GEN_DNS)) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100249#if OPENSSL_VERSION_NUMBER < 0x10100000L // < 1.1.0
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100250 *username = strdup((char *)ASN1_STRING_data(san_name->d.dNSName));
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100251#else
252 *username = strdup((char *)ASN1_STRING_get0_data(san_name->d.dNSName));
253#endif
Michal Vasko4eb3c312016-03-01 14:09:37 +0100254 if (!*username) {
255 ERRMEM;
256 return 1;
257 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100258 break;
259 }
260
261 /* iPAddress */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200262 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_IP_ADDRESS)) &&
263 (san_name->type == GEN_IPADD)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100264 ip = san_name->d.iPAddress;
265 if (ip->length == 4) {
266 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100267 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100268 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
269 return -1;
270 }
271 break;
272 } else if (ip->length == 16) {
273 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
274 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
275 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
276 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100277 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100278 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
279 return -1;
280 }
281 break;
282 } else {
Michal Vasko05532772021-06-03 12:12:38 +0200283 WRN(NULL, "SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100284 }
285 }
286 }
287 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
288
Vitaly Kuzina3b66322021-08-26 12:33:43 +0300289 if (i == san_count) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100290 switch (map_type) {
291 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vasko05532772021-06-03 12:12:38 +0200292 WRN(NULL, "Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100293 break;
294 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vasko05532772021-06-03 12:12:38 +0200295 WRN(NULL, "Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100296 break;
297 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vasko05532772021-06-03 12:12:38 +0200298 WRN(NULL, "Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100299 break;
300 case NC_TLS_CTN_SAN_ANY:
Michal Vasko05532772021-06-03 12:12:38 +0200301 WRN(NULL, "Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100302 break;
303 default:
304 break;
305 }
306 return 1;
307 }
308 }
309
310 return 0;
311}
312
313/* return: 0 - OK, 1 - no match, -1 - error */
314static int
Michal Vaskoc61c4492016-01-25 11:13:34 +0100315nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100316{
317 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
318 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100319 unsigned char *buf = malloc(64);
320 unsigned int buf_len = 64;
321 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100322 struct nc_ctn *ctn;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100323
Michal Vasko4eb3c312016-03-01 14:09:37 +0100324 if (!buf) {
325 ERRMEM;
326 return -1;
327 }
328
Michal Vaskoc61c4492016-01-25 11:13:34 +0100329 if (!ctn_first || !cert || !map_type || !name) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100330 free(buf);
331 return -1;
332 }
333
Michal Vaskoc61c4492016-01-25 11:13:34 +0100334 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100335 /* first make sure the entry is valid */
336 if (!ctn->fingerprint || !ctn->map_type || ((ctn->map_type == NC_TLS_CTN_SPECIFIED) && !ctn->name)) {
Michal Vasko05532772021-06-03 12:12:38 +0200337 VRB(NULL, "Cert verify CTN: entry with id %u not valid, skipping.", ctn->id);
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100338 continue;
339 }
340
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100341 /* MD5 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100342 if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100343 if (!digest_md5) {
344 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200345 ERR(NULL, "Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100346 ret = -1;
347 goto cleanup;
348 }
349 digest_to_str(buf, buf_len, &digest_md5);
350 }
351
Michal Vasko5e3f3392016-01-20 11:13:01 +0100352 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100353 /* we got ourselves a winner! */
Michal Vasko05532772021-06-03 12:12:38 +0200354 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100355 *map_type = ctn->map_type;
356 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
357 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100358 }
359 break;
360 }
361
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200362 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100363 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100364 if (!digest_sha1) {
365 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200366 ERR(NULL, "Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100367 ret = -1;
368 goto cleanup;
369 }
370 digest_to_str(buf, buf_len, &digest_sha1);
371 }
372
Michal Vasko5e3f3392016-01-20 11:13:01 +0100373 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100374 /* we got ourselves a winner! */
Michal Vasko05532772021-06-03 12:12:38 +0200375 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100376 *map_type = ctn->map_type;
377 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
378 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100379 }
380 break;
381 }
382
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200383 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100384 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100385 if (!digest_sha224) {
386 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200387 ERR(NULL, "Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100388 ret = -1;
389 goto cleanup;
390 }
391 digest_to_str(buf, buf_len, &digest_sha224);
392 }
393
Michal Vasko5e3f3392016-01-20 11:13:01 +0100394 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100395 /* we got ourselves a winner! */
Michal Vasko05532772021-06-03 12:12:38 +0200396 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100397 *map_type = ctn->map_type;
398 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
399 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100400 }
401 break;
402 }
403
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200404 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100405 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100406 if (!digest_sha256) {
407 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200408 ERR(NULL, "Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100409 ret = -1;
410 goto cleanup;
411 }
412 digest_to_str(buf, buf_len, &digest_sha256);
413 }
414
Michal Vasko5e3f3392016-01-20 11:13:01 +0100415 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100416 /* we got ourselves a winner! */
Michal Vasko05532772021-06-03 12:12:38 +0200417 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100418 *map_type = ctn->map_type;
419 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
420 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100421 }
422 break;
423 }
424
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200425 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100426 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100427 if (!digest_sha384) {
428 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200429 ERR(NULL, "Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100430 ret = -1;
431 goto cleanup;
432 }
433 digest_to_str(buf, buf_len, &digest_sha384);
434 }
435
Michal Vasko5e3f3392016-01-20 11:13:01 +0100436 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100437 /* we got ourselves a winner! */
Michal Vasko05532772021-06-03 12:12:38 +0200438 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100439 *map_type = ctn->map_type;
440 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
441 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100442 }
443 break;
444 }
445
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200446 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100447 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100448 if (!digest_sha512) {
449 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200450 ERR(NULL, "Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100451 ret = -1;
452 goto cleanup;
453 }
454 digest_to_str(buf, buf_len, &digest_sha512);
455 }
456
Michal Vasko5e3f3392016-01-20 11:13:01 +0100457 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100458 /* we got ourselves a winner! */
Michal Vasko05532772021-06-03 12:12:38 +0200459 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100460 *map_type = ctn->map_type;
461 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
462 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100463 }
464 break;
465 }
466
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200467 /* unknown */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100468 } else {
Michal Vasko05532772021-06-03 12:12:38 +0200469 WRN(NULL, "Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100470 }
471 }
472
Michal Vasko5e3f3392016-01-20 11:13:01 +0100473 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100474 ret = 1;
475 }
476
477cleanup:
478 free(digest_md5);
479 free(digest_sha1);
480 free(digest_sha224);
481 free(digest_sha256);
482 free(digest_sha384);
483 free(digest_sha512);
484 free(buf);
485 return ret;
486}
487
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100488#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
489
490static int
491nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
492{
493 X509_STORE_CTX *store_ctx;
494 X509_OBJECT *obj;
495 X509_NAME *subject;
496 X509_NAME *issuer;
497 X509 *cert;
498 X509_CRL *crl;
499 X509_REVOKED *revoked;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200500
501 STACK_OF(X509) * cert_stack;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100502 EVP_PKEY *pubkey;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200503 struct nc_session *session;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100504 struct nc_server_tls_opts *opts;
505 const ASN1_INTEGER *serial;
506 int i, n, rc, depth;
507 char *cp;
508 const char *username = NULL;
509 NC_TLS_CTN_MAPTYPE map_type = 0;
510 const ASN1_TIME *last_update = NULL, *next_update = NULL;
511
512 /* get the thread session */
513 session = pthread_getspecific(verify_key);
514 if (!session) {
515 ERRINT;
516 return 0;
517 }
518
519 opts = session->data;
520
521 /* get the last certificate, that is the peer (client) certificate */
522 if (!session->opts.server.client_cert) {
523 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
Andrew Langefeld62bc6712018-08-28 16:17:16 -0500524 session->opts.server.client_cert = sk_X509_value(cert_stack, 0);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100525 X509_up_ref(session->opts.server.client_cert);
526 sk_X509_pop_free(cert_stack, X509_free);
527 }
528
529 /* standard certificate verification failed, so a trusted client cert must match to continue */
530 if (!preverify_ok) {
531 subject = X509_get_subject_name(session->opts.server.client_cert);
532 cert_stack = X509_STORE_CTX_get1_certs(x509_ctx, subject);
533 if (cert_stack) {
534 for (i = 0; i < sk_X509_num(cert_stack); ++i) {
535 if (cert_pubkey_match(session->opts.server.client_cert, sk_X509_value(cert_stack, i))) {
536 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
537 * this callback will be called again with the same current certificate and preverify_ok == 1 */
Michal Vasko05532772021-06-03 12:12:38 +0200538 VRB(NULL, "Cert verify: fail (%s), but the client certificate is trusted, continuing.",
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200539 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100540 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
541 sk_X509_pop_free(cert_stack, X509_free);
542 return 1;
543 }
544 }
545 sk_X509_pop_free(cert_stack, X509_free);
546 }
547
Michal Vasko05532772021-06-03 12:12:38 +0200548 ERR(NULL, "Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100549 return 0;
550 }
551
552 /* print cert verify info */
553 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vasko05532772021-06-03 12:12:38 +0200554 VRB(NULL, "Cert verify: depth %d.", depth);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100555
556 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
557 subject = X509_get_subject_name(cert);
558 issuer = X509_get_issuer_name(cert);
559
560 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200561 VRB(NULL, "Cert verify: subject: %s.", cp);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100562 OPENSSL_free(cp);
563 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200564 VRB(NULL, "Cert verify: issuer: %s.", cp);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100565 OPENSSL_free(cp);
566
567 /* check for revocation if set */
568 if (opts->crl_store) {
569 /* try to retrieve a CRL corresponding to the _subject_ of
570 * the current certificate in order to verify it's integrity */
571 store_ctx = X509_STORE_CTX_new();
572 obj = X509_OBJECT_new();
573 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700574 rc = X509_STORE_CTX_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100575 X509_STORE_CTX_free(store_ctx);
576 crl = X509_OBJECT_get0_X509_CRL(obj);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200577 if ((rc > 0) && crl) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100578 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200579 VRB(NULL, "Cert verify CRL: issuer: %s.", cp);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100580 OPENSSL_free(cp);
581
582 last_update = X509_CRL_get0_lastUpdate(crl);
583 next_update = X509_CRL_get0_nextUpdate(crl);
584 cp = asn1time_to_str(last_update);
Michal Vasko05532772021-06-03 12:12:38 +0200585 VRB(NULL, "Cert verify CRL: last update: %s.", cp);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100586 free(cp);
587 cp = asn1time_to_str(next_update);
Michal Vasko05532772021-06-03 12:12:38 +0200588 VRB(NULL, "Cert verify CRL: next update: %s.", cp);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100589 free(cp);
590
591 /* verify the signature on this CRL */
592 pubkey = X509_get_pubkey(cert);
593 if (X509_CRL_verify(crl, pubkey) <= 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200594 ERR(NULL, "Cert verify CRL: invalid signature.");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100595 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
596 X509_OBJECT_free(obj);
597 if (pubkey) {
598 EVP_PKEY_free(pubkey);
599 }
600 return 0;
601 }
602 if (pubkey) {
603 EVP_PKEY_free(pubkey);
604 }
605
606 /* check date of CRL to make sure it's not expired */
607 if (!next_update) {
Michal Vasko05532772021-06-03 12:12:38 +0200608 ERR(NULL, "Cert verify CRL: invalid nextUpdate field.");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100609 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
610 X509_OBJECT_free(obj);
611 return 0;
612 }
613 if (X509_cmp_current_time(next_update) < 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200614 ERR(NULL, "Cert verify CRL: expired - revoking all certificates.");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100615 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
616 X509_OBJECT_free(obj);
617 return 0;
618 }
619 X509_OBJECT_free(obj);
620 }
621
622 /* try to retrieve a CRL corresponding to the _issuer_ of
623 * the current certificate in order to check for revocation */
624 store_ctx = X509_STORE_CTX_new();
625 obj = X509_OBJECT_new();
626 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700627 rc = X509_STORE_CTX_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100628 X509_STORE_CTX_free(store_ctx);
629 crl = X509_OBJECT_get0_X509_CRL(obj);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200630 if ((rc > 0) && crl) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100631 /* check if the current certificate is revoked by this CRL */
632 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
633 for (i = 0; i < n; i++) {
634 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
635 serial = X509_REVOKED_get0_serialNumber(revoked);
636 if (ASN1_INTEGER_cmp(serial, X509_get_serialNumber(cert)) == 0) {
637 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200638 ERR(NULL, "Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.",
639 serial, serial, cp);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100640 OPENSSL_free(cp);
641 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
642 X509_OBJECT_free(obj);
643 return 0;
644 }
645 }
646 X509_OBJECT_free(obj);
647 }
648 }
649
650 /* cert-to-name already successful */
651 if (session->username) {
652 return 1;
653 }
654
655 /* cert-to-name */
656 rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
657
658 if (rc) {
659 if (rc == -1) {
660 /* fatal error */
661 depth = 0;
662 }
663 /* rc == 1 is a normal CTN fail (no match found) */
664 goto fail;
665 }
666
667 /* cert-to-name match, now to extract the specific field from the peer cert */
668 if (map_type == NC_TLS_CTN_SPECIFIED) {
Michal Vasko93224072021-11-09 12:14:28 +0100669 session->username = strdup(username);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100670 } else {
671 rc = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &cp);
672 if (rc) {
673 if (rc == -1) {
674 depth = 0;
675 }
676 goto fail;
677 }
Michal Vasko93224072021-11-09 12:14:28 +0100678 session->username = cp;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100679 }
680
Michal Vasko05532772021-06-03 12:12:38 +0200681 VRB(NULL, "Cert verify CTN: new client username recognized as \"%s\".", session->username);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100682
683 if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
Michal Vasko05532772021-06-03 12:12:38 +0200684 VRB(NULL, "Cert verify: user verify callback revoked authorization.");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100685 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
686 return 0;
687 }
688
689 return 1;
690
691fail:
692 if (depth > 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200693 VRB(NULL, "Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100694 return 1;
695 }
696
Michal Vasko05532772021-06-03 12:12:38 +0200697 VRB(NULL, "Cert-to-name unsuccessful, dropping the new client.");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100698 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
699 return 0;
700}
701
702#else
703
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100704static int
705nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
706{
707 X509_STORE_CTX store_ctx;
708 X509_OBJECT obj;
709 X509_NAME *subject;
710 X509_NAME *issuer;
711 X509 *cert;
712 X509_CRL *crl;
713 X509_REVOKED *revoked;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200714
715 STACK_OF(X509) * cert_stack;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100716 EVP_PKEY *pubkey;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200717 struct nc_session *session;
Michal Vasko3031aae2016-01-27 16:07:18 +0100718 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100719 long serial;
720 int i, n, rc, depth;
721 char *cp;
722 const char *username = NULL;
723 NC_TLS_CTN_MAPTYPE map_type = 0;
724 ASN1_TIME *last_update = NULL, *next_update = NULL;
725
Michal Vasko6d292992016-01-18 09:42:38 +0100726 /* get the thread session */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100727 session = pthread_getspecific(verify_key);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100728 if (!session) {
729 ERRINT;
730 return 0;
731 }
732
Michal Vasko2cc4c682016-03-01 09:16:48 +0100733 opts = session->data;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100734
735 /* get the last certificate, that is the peer (client) certificate */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200736 if (!session->opts.server.client_cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100737 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100738 while ((cert = sk_X509_pop(cert_stack))) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200739 X509_free(session->opts.server.client_cert);
740 session->opts.server.client_cert = cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100741 }
742 sk_X509_pop_free(cert_stack, X509_free);
743 }
744
745 /* standard certificate verification failed, so a trusted client cert must match to continue */
746 if (!preverify_ok) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200747 subject = X509_get_subject_name(session->opts.server.client_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100748 cert_stack = X509_STORE_get1_certs(x509_ctx, subject);
749 if (cert_stack) {
750 for (i = 0; i < sk_X509_num(cert_stack); ++i) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200751 if (cert_pubkey_match(session->opts.server.client_cert, sk_X509_value(cert_stack, i))) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100752 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
753 * this callback will be called again with the same current certificate and preverify_ok == 1 */
Michal Vasko05532772021-06-03 12:12:38 +0200754 VRB(session, "Cert verify: fail (%s), but the client certificate is trusted, continuing.",
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200755 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100756 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
757 sk_X509_pop_free(cert_stack, X509_free);
758 return 1;
759 }
760 }
761 sk_X509_pop_free(cert_stack, X509_free);
762 }
763
Michal Vasko05532772021-06-03 12:12:38 +0200764 ERR(session, "Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100765 return 0;
766 }
767
768 /* print cert verify info */
769 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vasko05532772021-06-03 12:12:38 +0200770 VRB(session, "Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100771
772 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
773 subject = X509_get_subject_name(cert);
774 issuer = X509_get_issuer_name(cert);
775
776 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200777 VRB(session, "Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100778 OPENSSL_free(cp);
779 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200780 VRB(session, "Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100781 OPENSSL_free(cp);
782
783 /* check for revocation if set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100784 if (opts->crl_store) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100785 /* try to retrieve a CRL corresponding to the _subject_ of
786 * the current certificate in order to verify it's integrity */
787 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100788 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700789 rc = X509_STORE_CTX_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100790 X509_STORE_CTX_cleanup(&store_ctx);
791 crl = obj.data.crl;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200792 if ((rc > 0) && crl) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100793 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200794 VRB(session, "Cert verify CRL: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100795 OPENSSL_free(cp);
796
797 last_update = X509_CRL_get_lastUpdate(crl);
798 next_update = X509_CRL_get_nextUpdate(crl);
799 cp = asn1time_to_str(last_update);
Michal Vasko05532772021-06-03 12:12:38 +0200800 VRB(session, "Cert verify CRL: last update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100801 free(cp);
802 cp = asn1time_to_str(next_update);
Michal Vasko05532772021-06-03 12:12:38 +0200803 VRB(session, "Cert verify CRL: next update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100804 free(cp);
805
806 /* verify the signature on this CRL */
807 pubkey = X509_get_pubkey(cert);
808 if (X509_CRL_verify(crl, pubkey) <= 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200809 ERR(session, "Cert verify CRL: invalid signature.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100810 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
811 X509_OBJECT_free_contents(&obj);
812 if (pubkey) {
813 EVP_PKEY_free(pubkey);
814 }
815 return 0;
816 }
817 if (pubkey) {
818 EVP_PKEY_free(pubkey);
819 }
820
821 /* check date of CRL to make sure it's not expired */
822 if (!next_update) {
Michal Vasko05532772021-06-03 12:12:38 +0200823 ERR(session, "Cert verify CRL: invalid nextUpdate field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100824 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
825 X509_OBJECT_free_contents(&obj);
826 return 0;
827 }
828 if (X509_cmp_current_time(next_update) < 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200829 ERR(session, "Cert verify CRL: expired - revoking all certificates.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100830 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
831 X509_OBJECT_free_contents(&obj);
832 return 0;
833 }
834 X509_OBJECT_free_contents(&obj);
835 }
836
837 /* try to retrieve a CRL corresponding to the _issuer_ of
Michal Vaskob48aa812016-01-18 14:13:09 +0100838 * the current certificate in order to check for revocation */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100839 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100840 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700841 rc = X509_STORE_CTX_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100842 X509_STORE_CTX_cleanup(&store_ctx);
843 crl = obj.data.crl;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200844 if ((rc > 0) && crl) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100845 /* check if the current certificate is revoked by this CRL */
846 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
847 for (i = 0; i < n; i++) {
848 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
849 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
850 serial = ASN1_INTEGER_get(revoked->serialNumber);
851 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200852 ERR(session, "Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.",
853 serial, serial, cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100854 OPENSSL_free(cp);
855 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
856 X509_OBJECT_free_contents(&obj);
857 return 0;
858 }
859 }
860 X509_OBJECT_free_contents(&obj);
861 }
862 }
863
864 /* cert-to-name already successful */
865 if (session->username) {
866 return 1;
867 }
868
869 /* cert-to-name */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100870 rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100871
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100872 if (rc) {
873 if (rc == -1) {
874 /* fatal error */
875 depth = 0;
876 }
877 /* rc == 1 is a normal CTN fail (no match found) */
878 goto fail;
879 }
880
881 /* cert-to-name match, now to extract the specific field from the peer cert */
882 if (map_type == NC_TLS_CTN_SPECIFIED) {
Barbaros Tokaoglubaa1e482021-12-11 16:04:37 +0300883 session->username = strdup(username);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100884 } else {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200885 rc = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100886 if (rc) {
887 if (rc == -1) {
888 depth = 0;
889 }
890 goto fail;
891 }
Barbaros Tokaoglubaa1e482021-12-11 16:04:37 +0300892 session->username = cp;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100893 }
894
Michal Vasko05532772021-06-03 12:12:38 +0200895 VRB(session, "Cert verify CTN: new client username recognized as \"%s\".", session->username);
Michal Vasko7060bcf2016-11-28 14:48:11 +0100896
897 if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
Michal Vasko05532772021-06-03 12:12:38 +0200898 VRB(session, "Cert verify: user verify callback revoked authorization.");
Michal Vasko7060bcf2016-11-28 14:48:11 +0100899 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
900 return 0;
901 }
902
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100903 return 1;
904
905fail:
906 if (depth > 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200907 VRB(session, "Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100908 return 1;
909 }
910
Michal Vasko05532772021-06-03 12:12:38 +0200911 VRB(session, "Cert-to-name unsuccessful, dropping the new client.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100912 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
913 return 0;
914}
915
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100916#endif
917
Michal Vasko3031aae2016-01-27 16:07:18 +0100918static int
Michal Vasko4c1fb492017-01-30 14:31:07 +0100919nc_server_tls_set_server_cert(const char *name, struct nc_server_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100920{
Michal Vasko4c1fb492017-01-30 14:31:07 +0100921 if (!name) {
Michal Vaskoa8748792016-11-22 14:34:26 +0100922 if (opts->server_cert) {
Michal Vasko93224072021-11-09 12:14:28 +0100923 free(opts->server_cert);
Michal Vaskoa8748792016-11-22 14:34:26 +0100924 }
925 opts->server_cert = NULL;
926 return 0;
927 }
928
Michal Vaskoe2713da2016-08-22 16:06:40 +0200929 if (opts->server_cert) {
Michal Vasko93224072021-11-09 12:14:28 +0100930 free(opts->server_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100931 }
Michal Vasko93224072021-11-09 12:14:28 +0100932 opts->server_cert = strdup(name);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100933
934 return 0;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100935}
936
937API int
Michal Vasko4c1fb492017-01-30 14:31:07 +0100938nc_server_tls_endpt_set_server_cert(const char *endpt_name, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100939{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100940 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100941 struct nc_endpt *endpt;
942
Michal Vasko2e6defd2016-10-07 15:48:15 +0200943 if (!endpt_name) {
944 ERRARG("endpt_name");
945 return -1;
946 }
947
Michal Vasko51e514d2016-02-02 15:51:52 +0100948 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100949 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100950 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100951 return -1;
952 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100953 ret = nc_server_tls_set_server_cert(name, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +0100954 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +0100955 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +0100956
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100957 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100958}
959
960API int
Michal Vaskoadf30f02019-06-24 09:34:47 +0200961nc_server_tls_ch_client_endpt_set_server_cert(const char *client_name, const char *endpt_name, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100962{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100963 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200964 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +0200965 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +0200966
967 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +0200968 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
969 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +0200970 return -1;
971 }
972
Michal Vaskoadf30f02019-06-24 09:34:47 +0200973 ret = nc_server_tls_set_server_cert(name, endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +0200974
975 /* UNLOCK */
976 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100977
978 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100979}
980
Michal Vasko4c1fb492017-01-30 14:31:07 +0100981API void
982nc_server_tls_set_server_cert_clb(int (*cert_clb)(const char *name, void *user_data, char **cert_path, char **cert_data,
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200983 char **privkey_path, char **privkey_data, NC_SSH_KEY_TYPE *privkey_type), void *user_data,
984 void (*free_user_data)(void *user_data))
Michal Vaskoc61c4492016-01-25 11:13:34 +0100985{
Michal Vasko4c1fb492017-01-30 14:31:07 +0100986 if (!cert_clb) {
987 ERRARG("cert_clb");
988 return;
Michal Vaskoa8748792016-11-22 14:34:26 +0100989 }
990
Michal Vasko4c1fb492017-01-30 14:31:07 +0100991 server_opts.server_cert_clb = cert_clb;
992 server_opts.server_cert_data = user_data;
993 server_opts.server_cert_data_free = free_user_data;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100994}
995
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500996API void
997nc_server_tls_set_server_cert_chain_clb(int (*cert_chain_clb)(const char *name, void *user_data, char ***cert_paths,
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200998 int *cert_path_count, char ***cert_data, int *cert_data_count), void *user_data, void (*free_user_data)(void *user_data))
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500999{
1000 if (!cert_chain_clb) {
1001 ERRARG("cert_chain_clb");
1002 return;
1003 }
1004
1005 server_opts.server_cert_chain_clb = cert_chain_clb;
1006 server_opts.server_cert_chain_data = user_data;
1007 server_opts.server_cert_chain_data_free = free_user_data;
1008}
1009
Michal Vaskoc61c4492016-01-25 11:13:34 +01001010static int
Michal Vasko4c1fb492017-01-30 14:31:07 +01001011nc_server_tls_add_trusted_cert_list(const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001012{
Michal Vasko4c1fb492017-01-30 14:31:07 +01001013 if (!name) {
1014 ERRARG("name");
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001015 return -1;
1016 }
1017
Michal Vasko4c1fb492017-01-30 14:31:07 +01001018 ++opts->trusted_cert_list_count;
Michal Vasko77367452021-02-16 16:32:18 +01001019 opts->trusted_cert_lists = nc_realloc(opts->trusted_cert_lists,
1020 opts->trusted_cert_list_count * sizeof *opts->trusted_cert_lists);
Michal Vasko4c1fb492017-01-30 14:31:07 +01001021 if (!opts->trusted_cert_lists) {
Michal Vaskoe2713da2016-08-22 16:06:40 +02001022 ERRMEM;
Michal Vaskoe2713da2016-08-22 16:06:40 +02001023 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001024 }
Michal Vasko93224072021-11-09 12:14:28 +01001025 opts->trusted_cert_lists[opts->trusted_cert_list_count - 1] = strdup(name);
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001026
1027 return 0;
1028}
1029
1030API int
Michal Vasko4c1fb492017-01-30 14:31:07 +01001031nc_server_tls_endpt_add_trusted_cert_list(const char *endpt_name, const char *name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001032{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001033 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +01001034 struct nc_endpt *endpt;
1035
Michal Vasko2e6defd2016-10-07 15:48:15 +02001036 if (!endpt_name) {
1037 ERRARG("endpt_name");
1038 return -1;
1039 }
1040
Michal Vasko51e514d2016-02-02 15:51:52 +01001041 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001042 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +01001043 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +01001044 return -1;
1045 }
Michal Vasko4c1fb492017-01-30 14:31:07 +01001046 ret = nc_server_tls_add_trusted_cert_list(name, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +01001047 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001048 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +01001049
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001050 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001051}
1052
1053API int
Michal Vaskoadf30f02019-06-24 09:34:47 +02001054nc_server_tls_ch_client_endpt_add_trusted_cert_list(const char *client_name, const char *endpt_name, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001055{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001056 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001057 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001058 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001059
1060 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001061 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1062 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +02001063 return -1;
1064 }
1065
Michal Vaskoadf30f02019-06-24 09:34:47 +02001066 ret = nc_server_tls_add_trusted_cert_list(name, endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +02001067
1068 /* UNLOCK */
1069 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001070
1071 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001072}
1073
Michal Vasko4c1fb492017-01-30 14:31:07 +01001074API void
1075nc_server_tls_set_trusted_cert_list_clb(int (*cert_list_clb)(const char *name, void *user_data, char ***cert_paths,
Michal Vaskoadf30f02019-06-24 09:34:47 +02001076 int *cert_path_count, char ***cert_data, int *cert_data_count),
1077 void *user_data, void (*free_user_data)(void *user_data))
Michal Vaskoc61c4492016-01-25 11:13:34 +01001078{
Michal Vasko4c1fb492017-01-30 14:31:07 +01001079 if (!cert_list_clb) {
1080 ERRARG("cert_list_clb");
1081 return;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001082 }
1083
Michal Vasko4c1fb492017-01-30 14:31:07 +01001084 server_opts.trusted_cert_list_clb = cert_list_clb;
1085 server_opts.trusted_cert_list_data = user_data;
1086 server_opts.trusted_cert_list_data_free = free_user_data;
Michal Vaskoe2713da2016-08-22 16:06:40 +02001087}
1088
1089static int
Michal Vasko4c1fb492017-01-30 14:31:07 +01001090nc_server_tls_del_trusted_cert_list(const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoe2713da2016-08-22 16:06:40 +02001091{
1092 uint16_t i;
1093
1094 if (!name) {
Michal Vasko4c1fb492017-01-30 14:31:07 +01001095 for (i = 0; i < opts->trusted_cert_list_count; ++i) {
Michal Vasko93224072021-11-09 12:14:28 +01001096 free(opts->trusted_cert_lists[i]);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001097 }
Michal Vasko4c1fb492017-01-30 14:31:07 +01001098 free(opts->trusted_cert_lists);
1099 opts->trusted_cert_lists = NULL;
1100 opts->trusted_cert_list_count = 0;
Michal Vaskoe2713da2016-08-22 16:06:40 +02001101 return 0;
1102 } else {
Michal Vasko4c1fb492017-01-30 14:31:07 +01001103 for (i = 0; i < opts->trusted_cert_list_count; ++i) {
1104 if (!strcmp(opts->trusted_cert_lists[i], name)) {
Michal Vasko93224072021-11-09 12:14:28 +01001105 free(opts->trusted_cert_lists[i]);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001106
Michal Vasko4c1fb492017-01-30 14:31:07 +01001107 --opts->trusted_cert_list_count;
1108 if (i < opts->trusted_cert_list_count - 1) {
1109 memmove(opts->trusted_cert_lists + i, opts->trusted_cert_lists + i + 1,
1110 (opts->trusted_cert_list_count - i) * sizeof *opts->trusted_cert_lists);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001111 }
1112 return 0;
1113 }
1114 }
1115 }
1116
Michal Vasko05532772021-06-03 12:12:38 +02001117 ERR(NULL, "Certificate list \"%s\" not found.", name);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001118 return -1;
1119}
1120
1121API int
Michal Vasko4c1fb492017-01-30 14:31:07 +01001122nc_server_tls_endpt_del_trusted_cert_list(const char *endpt_name, const char *name)
Michal Vaskoe2713da2016-08-22 16:06:40 +02001123{
1124 int ret;
1125 struct nc_endpt *endpt;
1126
Michal Vasko2e6defd2016-10-07 15:48:15 +02001127 if (!endpt_name) {
1128 ERRARG("endpt_name");
1129 return -1;
1130 }
1131
Michal Vaskoe2713da2016-08-22 16:06:40 +02001132 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001133 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001134 if (!endpt) {
1135 return -1;
1136 }
Michal Vasko4c1fb492017-01-30 14:31:07 +01001137 ret = nc_server_tls_del_trusted_cert_list(name, endpt->opts.tls);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001138 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001139 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001140
1141 return ret;
1142}
1143
1144API int
Michal Vaskoadf30f02019-06-24 09:34:47 +02001145nc_server_tls_ch_client_endpt_del_trusted_cert_list(const char *client_name, const char *endpt_name, const char *name)
Michal Vaskoe2713da2016-08-22 16:06:40 +02001146{
1147 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001148 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001149 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001150
1151 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001152 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1153 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +02001154 return -1;
1155 }
1156
Michal Vaskoadf30f02019-06-24 09:34:47 +02001157 ret = nc_server_tls_del_trusted_cert_list(name, endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +02001158
1159 /* UNLOCK */
1160 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001161
1162 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001163}
1164
1165static int
Michal Vasko96830e32016-02-01 10:54:18 +01001166nc_server_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001167{
Michal Vasko96830e32016-02-01 10:54:18 +01001168 if (!ca_file && !ca_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +02001169 ERRARG("ca_file and ca_dir");
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001170 return -1;
1171 }
1172
Michal Vasko96830e32016-02-01 10:54:18 +01001173 if (ca_file) {
Michal Vasko93224072021-11-09 12:14:28 +01001174 free(opts->trusted_ca_file);
1175 opts->trusted_ca_file = strdup(ca_file);
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001176 }
1177
Michal Vasko96830e32016-02-01 10:54:18 +01001178 if (ca_dir) {
Michal Vasko93224072021-11-09 12:14:28 +01001179 free(opts->trusted_ca_dir);
1180 opts->trusted_ca_dir = strdup(ca_dir);
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001181 }
1182
1183 return 0;
Michal Vasko086311b2016-01-08 09:53:11 +01001184}
1185
Michal Vaskoc61c4492016-01-25 11:13:34 +01001186API int
Michal Vasko96830e32016-02-01 10:54:18 +01001187nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir)
Michal Vasko086311b2016-01-08 09:53:11 +01001188{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001189 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +01001190 struct nc_endpt *endpt;
1191
Michal Vasko2e6defd2016-10-07 15:48:15 +02001192 if (!endpt_name) {
1193 ERRARG("endpt_name");
1194 return -1;
1195 }
1196
Michal Vasko51e514d2016-02-02 15:51:52 +01001197 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001198 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +01001199 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +01001200 return -1;
1201 }
Michal Vasko2e6defd2016-10-07 15:48:15 +02001202 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +01001203 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001204 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +01001205
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001206 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001207}
1208
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001209API int
Michal Vaskoadf30f02019-06-24 09:34:47 +02001210nc_server_tls_ch_client_endpt_set_trusted_ca_paths(const char *client_name, const char *endpt_name, const char *ca_file,
1211 const char *ca_dir)
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001212{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001213 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001214 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001215 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001216
1217 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001218 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1219 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +02001220 return -1;
1221 }
1222
Michal Vaskoadf30f02019-06-24 09:34:47 +02001223 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +02001224
1225 /* UNLOCK */
1226 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001227
1228 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001229}
1230
Michal Vaskoc61c4492016-01-25 11:13:34 +01001231static int
Michal Vasko96830e32016-02-01 10:54:18 +01001232nc_server_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001233{
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001234 X509_LOOKUP *lookup;
1235
Michal Vasko96830e32016-02-01 10:54:18 +01001236 if (!crl_file && !crl_dir) {
Michal Vasko45e53ae2016-04-07 11:46:03 +02001237 ERRARG("crl_file and crl_dir");
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001238 return -1;
1239 }
1240
Michal Vaskoc61c4492016-01-25 11:13:34 +01001241 if (!opts->crl_store) {
1242 opts->crl_store = X509_STORE_new();
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001243 }
1244
Michal Vasko96830e32016-02-01 10:54:18 +01001245 if (crl_file) {
Michal Vaskoc61c4492016-01-25 11:13:34 +01001246 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file());
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001247 if (!lookup) {
Michal Vasko05532772021-06-03 12:12:38 +02001248 ERR(NULL, "Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +01001249 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001250 }
1251
Michal Vasko96830e32016-02-01 10:54:18 +01001252 if (X509_LOOKUP_load_file(lookup, crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001253 ERR(NULL, "Failed to add a revocation lookup file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +01001254 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001255 }
1256 }
1257
Michal Vasko96830e32016-02-01 10:54:18 +01001258 if (crl_dir) {
Michal Vaskoc61c4492016-01-25 11:13:34 +01001259 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir());
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001260 if (!lookup) {
Michal Vasko05532772021-06-03 12:12:38 +02001261 ERR(NULL, "Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +01001262 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001263 }
1264
Michal Vasko96830e32016-02-01 10:54:18 +01001265 if (X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001266 ERR(NULL, "Failed to add a revocation lookup directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +01001267 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001268 }
1269 }
1270
1271 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +01001272
1273fail:
Michal Vaskob48aa812016-01-18 14:13:09 +01001274 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001275}
1276
Michal Vaskoc61c4492016-01-25 11:13:34 +01001277API int
Michal Vasko96830e32016-02-01 10:54:18 +01001278nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001279{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001280 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +01001281 struct nc_endpt *endpt;
1282
Michal Vasko2e6defd2016-10-07 15:48:15 +02001283 if (!endpt_name) {
1284 ERRARG("endpt_name");
1285 return -1;
1286 }
1287
Michal Vasko51e514d2016-02-02 15:51:52 +01001288 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001289 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +01001290 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +01001291 return -1;
1292 }
Michal Vasko2e6defd2016-10-07 15:48:15 +02001293 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +01001294 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001295 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +01001296
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001297 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001298}
1299
1300API int
Michal Vaskoadf30f02019-06-24 09:34:47 +02001301nc_server_tls_ch_client_set_crl_paths(const char *client_name, const char *endpt_name, const char *crl_file,
1302 const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001303{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001304 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001305 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001306 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001307
1308 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001309 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1310 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +02001311 return -1;
1312 }
1313
Michal Vaskoadf30f02019-06-24 09:34:47 +02001314 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +02001315
1316 /* UNLOCK */
1317 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001318
1319 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001320}
1321
1322static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001323nc_server_tls_clear_crls(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001324{
Michal Vaskoc61c4492016-01-25 11:13:34 +01001325 if (!opts->crl_store) {
Michal Vaskoc61c4492016-01-25 11:13:34 +01001326 return;
1327 }
1328
1329 X509_STORE_free(opts->crl_store);
1330 opts->crl_store = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001331}
1332
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001333API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001334nc_server_tls_endpt_clear_crls(const char *endpt_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001335{
Michal Vasko3031aae2016-01-27 16:07:18 +01001336 struct nc_endpt *endpt;
1337
Michal Vasko2e6defd2016-10-07 15:48:15 +02001338 if (!endpt_name) {
1339 ERRARG("endpt_name");
1340 return;
1341 }
1342
Michal Vasko51e514d2016-02-02 15:51:52 +01001343 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001344 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +01001345 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +01001346 return;
1347 }
Michal Vasko2e6defd2016-10-07 15:48:15 +02001348 nc_server_tls_clear_crls(endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +01001349 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001350 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001351}
1352
Michal Vaskoc61c4492016-01-25 11:13:34 +01001353API void
Michal Vaskoadf30f02019-06-24 09:34:47 +02001354nc_server_tls_ch_client_endpt_clear_crls(const char *client_name, const char *endpt_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001355{
Michal Vasko2e6defd2016-10-07 15:48:15 +02001356 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001357 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001358
1359 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001360 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1361 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +02001362 return;
1363 }
1364
Michal Vaskoadf30f02019-06-24 09:34:47 +02001365 nc_server_tls_clear_crls(endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +02001366
1367 /* UNLOCK */
1368 nc_server_ch_client_unlock(client);
Michal Vaskoc61c4492016-01-25 11:13:34 +01001369}
1370
1371static int
Michal Vasko2e6defd2016-10-07 15:48:15 +02001372nc_server_tls_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name,
Michal Vaskoadf30f02019-06-24 09:34:47 +02001373 struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001374{
Michal Vasko5e3f3392016-01-20 11:13:01 +01001375 struct nc_ctn *ctn, *new;
1376
Michal Vaskoc61c4492016-01-25 11:13:34 +01001377 if (!opts->ctn) {
Michal Vasko5e3f3392016-01-20 11:13:01 +01001378 /* the first item */
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001379 opts->ctn = new = calloc(1, sizeof *new);
1380 if (!new) {
1381 ERRMEM;
1382 return -1;
1383 }
Michal Vaskoc61c4492016-01-25 11:13:34 +01001384 } else if (opts->ctn->id > id) {
Michal Vasko5e3f3392016-01-20 11:13:01 +01001385 /* insert at the beginning */
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001386 new = calloc(1, sizeof *new);
1387 if (!new) {
1388 ERRMEM;
1389 return -1;
1390 }
Michal Vaskoc61c4492016-01-25 11:13:34 +01001391 new->next = opts->ctn;
1392 opts->ctn = new;
Michal Vasko5e3f3392016-01-20 11:13:01 +01001393 } else {
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001394 for (ctn = opts->ctn; ctn->next && ctn->next->id <= id; ctn = ctn->next) {}
Michal Vasko276f9d92017-02-02 11:15:55 +01001395 if (ctn->id == id) {
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001396 /* it exists already */
Michal Vasko276f9d92017-02-02 11:15:55 +01001397 new = ctn;
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001398 } else {
1399 /* insert after ctn */
1400 new = calloc(1, sizeof *new);
1401 if (!new) {
1402 ERRMEM;
1403 return -1;
1404 }
1405 new->next = ctn->next;
1406 ctn->next = new;
1407 }
1408 }
1409
1410 new->id = id;
1411 if (fingerprint) {
Michal Vasko93224072021-11-09 12:14:28 +01001412 free(new->fingerprint);
1413 new->fingerprint = strdup(fingerprint);
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001414 }
1415 if (map_type) {
1416 new->map_type = map_type;
1417 }
1418 if (name) {
Michal Vasko93224072021-11-09 12:14:28 +01001419 free(new->name);
1420 new->name = strdup(name);
Michal Vasko5e3f3392016-01-20 11:13:01 +01001421 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001422
1423 return 0;
1424}
1425
1426API int
Michal Vasko2e6defd2016-10-07 15:48:15 +02001427nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type,
Michal Vaskoadf30f02019-06-24 09:34:47 +02001428 const char *name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001429{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001430 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +01001431 struct nc_endpt *endpt;
1432
Michal Vasko2e6defd2016-10-07 15:48:15 +02001433 if (!endpt_name) {
1434 ERRARG("endpt_name");
1435 return -1;
1436 }
1437
Michal Vasko51e514d2016-02-02 15:51:52 +01001438 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001439 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +01001440 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +01001441 return -1;
1442 }
Michal Vasko2e6defd2016-10-07 15:48:15 +02001443 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +01001444 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001445 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +01001446
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001447 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001448}
1449
1450API int
Michal Vaskoadf30f02019-06-24 09:34:47 +02001451nc_server_tls_ch_client_endpt_add_ctn(const char *client_name, const char *endpt_name, uint32_t id,
1452 const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001453{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001454 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001455 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001456 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001457
1458 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001459 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1460 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +02001461 return -1;
1462 }
1463
Michal Vaskoadf30f02019-06-24 09:34:47 +02001464 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +02001465
1466 /* UNLOCK */
1467 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001468
1469 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001470}
1471
1472static int
Michal Vasko2e6defd2016-10-07 15:48:15 +02001473nc_server_tls_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name,
Michal Vaskoadf30f02019-06-24 09:34:47 +02001474 struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001475{
Michal Vasko5e3f3392016-01-20 11:13:01 +01001476 struct nc_ctn *ctn, *next, *prev;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001477 int ret = -1;
1478
Michal Vasko1a38c862016-01-15 15:50:07 +01001479 if ((id < 0) && !fingerprint && !map_type && !name) {
Michal Vaskoc61c4492016-01-25 11:13:34 +01001480 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +01001481 while (ctn) {
Michal Vasko93224072021-11-09 12:14:28 +01001482 free(ctn->fingerprint);
1483 free(ctn->name);
Michal Vasko5e3f3392016-01-20 11:13:01 +01001484
1485 next = ctn->next;
1486 free(ctn);
1487 ctn = next;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001488
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001489 ret = 0;
1490 }
Michal Vasko3031aae2016-01-27 16:07:18 +01001491 opts->ctn = NULL;
Michal Vasko1a38c862016-01-15 15:50:07 +01001492 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +01001493 prev = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001494 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +01001495 while (ctn) {
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001496 if (((id < 0) || (ctn->id == id)) &&
1497 (!fingerprint || !strcmp(ctn->fingerprint, fingerprint)) &&
1498 (!map_type || (ctn->map_type == map_type)) &&
1499 (!name || (ctn->name && !strcmp(ctn->name, name)))) {
Michal Vasko93224072021-11-09 12:14:28 +01001500 free(ctn->fingerprint);
1501 free(ctn->name);
Michal Vasko1a38c862016-01-15 15:50:07 +01001502
Michal Vasko5e3f3392016-01-20 11:13:01 +01001503 if (prev) {
1504 prev->next = ctn->next;
1505 next = ctn->next;
1506 } else {
Michal Vasko3031aae2016-01-27 16:07:18 +01001507 opts->ctn = ctn->next;
Michal Vasko5e3f3392016-01-20 11:13:01 +01001508 next = ctn->next;
1509 }
1510 free(ctn);
1511 ctn = next;
Michal Vasko1a38c862016-01-15 15:50:07 +01001512
1513 ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +01001514 } else {
1515 prev = ctn;
1516 ctn = ctn->next;
Michal Vasko1a38c862016-01-15 15:50:07 +01001517 }
1518 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001519 }
1520
1521 return ret;
1522}
1523
Michal Vaskoc61c4492016-01-25 11:13:34 +01001524API int
Michal Vasko2e6defd2016-10-07 15:48:15 +02001525nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type,
Michal Vaskoadf30f02019-06-24 09:34:47 +02001526 const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001527{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001528 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +01001529 struct nc_endpt *endpt;
1530
Michal Vasko2e6defd2016-10-07 15:48:15 +02001531 if (!endpt_name) {
1532 ERRARG("endpt_name");
1533 return -1;
1534 }
1535
Michal Vasko51e514d2016-02-02 15:51:52 +01001536 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001537 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vasko3031aae2016-01-27 16:07:18 +01001538 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +01001539 return -1;
1540 }
Michal Vasko2e6defd2016-10-07 15:48:15 +02001541 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
Michal Vasko51e514d2016-02-02 15:51:52 +01001542 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001543 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vasko3031aae2016-01-27 16:07:18 +01001544
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001545 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001546}
1547
1548API int
Michal Vaskoadf30f02019-06-24 09:34:47 +02001549nc_server_tls_ch_client_endpt_del_ctn(const char *client_name, const char *endpt_name, int64_t id,
1550 const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +01001551{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001552 int ret;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001553 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001554 struct nc_ch_endpt *endpt;
Michal Vasko2e6defd2016-10-07 15:48:15 +02001555
1556 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001557 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1558 if (!endpt) {
Michal Vasko2e6defd2016-10-07 15:48:15 +02001559 return -1;
1560 }
1561
Michal Vaskoadf30f02019-06-24 09:34:47 +02001562 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
Michal Vasko2e6defd2016-10-07 15:48:15 +02001563
1564 /* UNLOCK */
1565 nc_server_ch_client_unlock(client);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001566
1567 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +01001568}
Michal Vaskoc61c4492016-01-25 11:13:34 +01001569
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001570static int
Michal Vaskof585ac72016-11-25 15:16:38 +01001571nc_server_tls_get_ctn(uint32_t *id, char **fingerprint, NC_TLS_CTN_MAPTYPE *map_type, char **name,
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001572 struct nc_server_tls_opts *opts)
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001573{
1574 struct nc_ctn *ctn;
1575 int ret = -1;
1576
1577 for (ctn = opts->ctn; ctn; ctn = ctn->next) {
1578 if (id && *id && (*id != ctn->id)) {
1579 continue;
1580 }
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001581 if (fingerprint && *fingerprint && (!ctn->fingerprint || strcmp(*fingerprint, ctn->fingerprint))) {
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001582 continue;
1583 }
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001584 if (map_type && *map_type && (!ctn->map_type || (*map_type != ctn->map_type))) {
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001585 continue;
1586 }
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001587 if (name && *name && (!ctn->name || strcmp(*name, ctn->name))) {
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001588 continue;
1589 }
1590
1591 /* first match, good enough */
1592 if (id && !(*id)) {
1593 *id = ctn->id;
1594 }
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001595 if (fingerprint && !(*fingerprint) && ctn->fingerprint) {
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001596 *fingerprint = strdup(ctn->fingerprint);
1597 }
Michal Vasko3cf4aaa2017-02-01 15:03:36 +01001598 if (map_type && !(*map_type) && ctn->map_type) {
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001599 *map_type = ctn->map_type;
1600 }
Adam Richterd44680e2019-06-15 13:16:16 -07001601 if (name && !(*name) && ctn->name) {
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001602 *name = strdup(ctn->name);
1603 }
1604
1605 ret = 0;
1606 break;
1607 }
1608
1609 return ret;
1610}
1611
1612API int
Michal Vaskof585ac72016-11-25 15:16:38 +01001613nc_server_tls_endpt_get_ctn(const char *endpt_name, uint32_t *id, char **fingerprint, NC_TLS_CTN_MAPTYPE *map_type,
Michal Vaskoadf30f02019-06-24 09:34:47 +02001614 char **name)
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001615{
1616 int ret;
1617 struct nc_endpt *endpt;
1618
1619 if (!endpt_name) {
1620 ERRARG("endpt_name");
1621 return -1;
1622 }
1623
1624 /* LOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001625 endpt = nc_server_endpt_lock_get(endpt_name, NC_TI_OPENSSL, NULL);
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001626 if (!endpt) {
1627 return -1;
1628 }
1629 ret = nc_server_tls_get_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
1630 /* UNLOCK */
Michal Vaskoade892d2017-02-22 13:40:35 +01001631 pthread_rwlock_unlock(&server_opts.endpt_lock);
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001632
1633 return ret;
1634}
1635
1636API int
Michal Vaskoadf30f02019-06-24 09:34:47 +02001637nc_server_tls_ch_client_endpt_get_ctn(const char *client_name, const char *endpt_name, uint32_t *id, char **fingerprint,
1638 NC_TLS_CTN_MAPTYPE *map_type, char **name)
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001639{
1640 int ret;
1641 struct nc_ch_client *client;
Michal Vaskoadf30f02019-06-24 09:34:47 +02001642 struct nc_ch_endpt *endpt;
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001643
1644 /* LOCK */
Michal Vaskoadf30f02019-06-24 09:34:47 +02001645 endpt = nc_server_ch_client_lock(client_name, endpt_name, NC_TI_OPENSSL, &client);
1646 if (!endpt) {
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001647 return -1;
1648 }
1649
Michal Vaskoadf30f02019-06-24 09:34:47 +02001650 ret = nc_server_tls_get_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
Michal Vaskodf5e6af2016-11-23 13:50:56 +01001651
1652 /* UNLOCK */
1653 nc_server_ch_client_unlock(client);
1654
1655 return ret;
1656}
1657
Michal Vasko709598e2016-11-28 14:48:32 +01001658API const X509 *
1659nc_session_get_client_cert(const struct nc_session *session)
1660{
1661 if (!session || (session->side != NC_SERVER)) {
1662 ERRARG("session");
1663 return NULL;
1664 }
1665
1666 return session->opts.server.client_cert;
1667}
1668
Michal Vasko7060bcf2016-11-28 14:48:11 +01001669API void
1670nc_server_tls_set_verify_clb(int (*verify_clb)(const struct nc_session *session))
1671{
1672 server_opts.user_verify_clb = verify_clb;
1673}
1674
Michal Vasko3031aae2016-01-27 16:07:18 +01001675void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001676nc_server_tls_clear_opts(struct nc_server_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +01001677{
Michal Vasko93224072021-11-09 12:14:28 +01001678 free(opts->server_cert);
Michal Vasko4c1fb492017-01-30 14:31:07 +01001679 nc_server_tls_del_trusted_cert_list(NULL, opts);
Michal Vasko93224072021-11-09 12:14:28 +01001680 free(opts->trusted_ca_file);
1681 free(opts->trusted_ca_dir);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +01001682 nc_server_tls_clear_crls(opts);
Michal Vasko3031aae2016-01-27 16:07:18 +01001683 nc_server_tls_del_ctn(-1, NULL, 0, NULL, opts);
Michal Vasko086311b2016-01-08 09:53:11 +01001684}
Michal Vasko9e036d52016-01-08 10:49:26 +01001685
Michal Vasko6d292992016-01-18 09:42:38 +01001686static void
1687nc_tls_make_verify_key(void)
1688{
Michal Vasko5c2f7952016-01-22 13:16:31 +01001689 pthread_key_create(&verify_key, NULL);
Michal Vasko6d292992016-01-18 09:42:38 +01001690}
1691
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001692static X509 *
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001693tls_load_cert(const char *cert_path, const char *cert_data)
1694{
1695 X509 *cert;
1696
1697 if (cert_path) {
1698 cert = pem_to_cert(cert_path);
1699 } else {
1700 cert = base64der_to_cert(cert_data);
1701 }
1702
1703 if (!cert) {
1704 if (cert_path) {
Michal Vasko05532772021-06-03 12:12:38 +02001705 ERR(NULL, "Loading a trusted certificate (path \"%s\") failed (%s).", cert_path,
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001706 ERR_reason_error_string(ERR_get_error()));
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001707 } else {
Michal Vasko05532772021-06-03 12:12:38 +02001708 ERR(NULL, "Loading a trusted certificate (data \"%s\") failed (%s).", cert_data,
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001709 ERR_reason_error_string(ERR_get_error()));
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001710 }
1711 }
1712 return cert;
1713}
1714
1715static int
1716nc_tls_ctx_set_server_cert_chain(SSL_CTX *tls_ctx, const char *cert_name)
1717{
1718 char **cert_paths = NULL, **cert_data = NULL;
1719 int cert_path_count = 0, cert_data_count = 0, ret = 0, i = 0;
1720 X509 *cert = NULL;
1721
1722 if (!server_opts.server_cert_chain_clb) {
1723 /* This is optional, so return OK */
1724 return 0;
1725 }
1726
1727 if (server_opts.server_cert_chain_clb(cert_name, server_opts.server_cert_chain_data, &cert_paths,
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001728 &cert_path_count, &cert_data, &cert_data_count)) {
Michal Vasko05532772021-06-03 12:12:38 +02001729 ERR(NULL, "Server certificate chain callback failed.");
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001730 return -1;
1731 }
1732
1733 for (i = 0; i < cert_path_count; ++i) {
1734 cert = tls_load_cert(cert_paths[i], NULL);
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001735 if (!cert || (SSL_CTX_add_extra_chain_cert(tls_ctx, cert) != 1)) {
Michal Vasko05532772021-06-03 12:12:38 +02001736 ERR(NULL, "Loading the server certificate chain failed (%s).", ERR_reason_error_string(ERR_get_error()));
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001737 ret = -1;
1738 goto cleanup;
1739 }
1740 }
1741
1742 for (i = 0; i < cert_data_count; ++i) {
1743 cert = tls_load_cert(NULL, cert_data[i]);
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001744 if (!cert || (SSL_CTX_add_extra_chain_cert(tls_ctx, cert) != 1)) {
Michal Vasko05532772021-06-03 12:12:38 +02001745 ERR(NULL, "Loading the server certificate chain failed (%s).", ERR_reason_error_string(ERR_get_error()));
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001746 ret = -1;
1747 goto cleanup;
1748 }
1749 }
1750cleanup:
1751 for (i = 0; i < cert_path_count; ++i) {
1752 free(cert_paths[i]);
1753 }
1754 free(cert_paths);
1755 for (i = 0; i < cert_data_count; ++i) {
1756 free(cert_data[i]);
1757 }
1758 free(cert_data);
1759 /* cert is owned by the SSL_CTX */
1760
1761 return ret;
1762}
1763
Michal Vasko4c1fb492017-01-30 14:31:07 +01001764static int
1765nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, const char *cert_name)
1766{
1767 char *cert_path = NULL, *cert_data = NULL, *privkey_path = NULL, *privkey_data = NULL;
Michal Vaskoddce1212019-05-24 09:58:49 +02001768 int ret = 0;
Michal Vaskoe49a15f2019-05-27 14:18:36 +02001769 NC_SSH_KEY_TYPE privkey_type;
Michal Vasko6e08cb72017-02-02 11:15:29 +01001770 X509 *cert = NULL;
1771 EVP_PKEY *pkey = NULL;
Michal Vasko4c1fb492017-01-30 14:31:07 +01001772
1773 if (!cert_name) {
Michal Vasko05532772021-06-03 12:12:38 +02001774 ERR(NULL, "Server certificate not set.");
Michal Vasko4c1fb492017-01-30 14:31:07 +01001775 return -1;
1776 } else if (!server_opts.server_cert_clb) {
Michal Vasko05532772021-06-03 12:12:38 +02001777 ERR(NULL, "Callback for retrieving the server certificate is not set.");
Michal Vasko4c1fb492017-01-30 14:31:07 +01001778 return -1;
1779 }
1780
1781 if (server_opts.server_cert_clb(cert_name, server_opts.server_cert_data, &cert_path, &cert_data, &privkey_path,
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001782 &privkey_data, &privkey_type)) {
Michal Vasko05532772021-06-03 12:12:38 +02001783 ERR(NULL, "Server certificate callback failed.");
Michal Vasko4c1fb492017-01-30 14:31:07 +01001784 return -1;
1785 }
1786
1787 /* load the certificate */
1788 if (cert_path) {
1789 if (SSL_CTX_use_certificate_file(tls_ctx, cert_path, SSL_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001790 ERR(NULL, "Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001791 ret = -1;
1792 goto cleanup;
1793 }
1794 } else {
Michal Vasko6e08cb72017-02-02 11:15:29 +01001795 cert = base64der_to_cert(cert_data);
Michal Vasko4c1fb492017-01-30 14:31:07 +01001796 if (!cert || (SSL_CTX_use_certificate(tls_ctx, cert) != 1)) {
Michal Vasko05532772021-06-03 12:12:38 +02001797 ERR(NULL, "Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001798 ret = -1;
1799 goto cleanup;
Michal Vasko4c1fb492017-01-30 14:31:07 +01001800 }
1801 }
1802
1803 /* load the private key */
1804 if (privkey_path) {
1805 if (SSL_CTX_use_PrivateKey_file(tls_ctx, privkey_path, SSL_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001806 ERR(NULL, "Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001807 ret = -1;
1808 goto cleanup;
1809 }
1810 } else {
Michal Vaskoddce1212019-05-24 09:58:49 +02001811 pkey = base64der_to_privatekey(privkey_data, nc_keytype2str(privkey_type));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001812 if (!pkey || (SSL_CTX_use_PrivateKey(tls_ctx, pkey) != 1)) {
Michal Vasko05532772021-06-03 12:12:38 +02001813 ERR(NULL, "Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001814 ret = -1;
1815 goto cleanup;
Michal Vasko4c1fb492017-01-30 14:31:07 +01001816 }
1817 }
1818
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001819 ret = nc_tls_ctx_set_server_cert_chain(tls_ctx, cert_name);
1820
Michal Vasko4c1fb492017-01-30 14:31:07 +01001821cleanup:
Michal Vasko6e08cb72017-02-02 11:15:29 +01001822 X509_free(cert);
1823 EVP_PKEY_free(pkey);
Michal Vasko4c1fb492017-01-30 14:31:07 +01001824 free(cert_path);
1825 free(cert_data);
1826 free(privkey_path);
1827 free(privkey_data);
1828 return ret;
1829}
1830
1831static void
1832tls_store_add_trusted_cert(X509_STORE *cert_store, const char *cert_path, const char *cert_data)
1833{
Andrew Langefeld440b6c72018-08-27 16:26:20 -05001834 X509 *cert = tls_load_cert(cert_path, cert_data);
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001835
Michal Vasko4c1fb492017-01-30 14:31:07 +01001836 if (!cert) {
Michal Vasko4c1fb492017-01-30 14:31:07 +01001837 return;
1838 }
1839
1840 /* add the trusted certificate */
1841 if (X509_STORE_add_cert(cert_store, cert) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001842 ERR(NULL, "Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +01001843 X509_free(cert);
1844 return;
1845 }
1846 X509_free(cert);
1847}
1848
1849static int
Michal Vasko93224072021-11-09 12:14:28 +01001850nc_tls_store_set_trusted_certs(X509_STORE *cert_store, char **trusted_cert_lists, uint16_t trusted_cert_list_count)
Michal Vasko4c1fb492017-01-30 14:31:07 +01001851{
1852 uint16_t i;
1853 int j;
1854 char **cert_paths, **cert_data;
1855 int cert_path_count, cert_data_count;
1856
1857 if (!server_opts.trusted_cert_list_clb) {
Michal Vasko05532772021-06-03 12:12:38 +02001858 ERR(NULL, "Callback for retrieving trusted certificate lists is not set.");
Michal Vasko4c1fb492017-01-30 14:31:07 +01001859 return -1;
1860 }
1861
1862 for (i = 0; i < trusted_cert_list_count; ++i) {
1863 cert_paths = cert_data = NULL;
1864 cert_path_count = cert_data_count = 0;
1865 if (server_opts.trusted_cert_list_clb(trusted_cert_lists[i], server_opts.trusted_cert_list_data,
Michal Vaskob83a3fa2021-05-26 09:53:42 +02001866 &cert_paths, &cert_path_count, &cert_data, &cert_data_count)) {
Michal Vasko05532772021-06-03 12:12:38 +02001867 ERR(NULL, "Trusted certificate list callback for \"%s\" failed.", trusted_cert_lists[i]);
Michal Vasko4c1fb492017-01-30 14:31:07 +01001868 return -1;
1869 }
1870
1871 for (j = 0; j < cert_path_count; ++j) {
1872 tls_store_add_trusted_cert(cert_store, cert_paths[j], NULL);
1873 free(cert_paths[j]);
1874 }
1875 free(cert_paths);
1876
1877 for (j = 0; j < cert_data_count; ++j) {
1878 tls_store_add_trusted_cert(cert_store, NULL, cert_data[j]);
1879 free(cert_data[j]);
1880 }
1881 free(cert_data);
1882 }
1883
1884 return 0;
1885}
1886
Michal Vasko3031aae2016-01-27 16:07:18 +01001887int
Michal Vasko0190bc32016-03-02 15:47:49 +01001888nc_accept_tls_session(struct nc_session *session, int sock, int timeout)
Michal Vasko3031aae2016-01-27 16:07:18 +01001889{
Michal Vaskoe2713da2016-08-22 16:06:40 +02001890 X509_STORE *cert_store;
1891 SSL_CTX *tls_ctx;
1892 X509_LOOKUP *lookup;
Michal Vasko3031aae2016-01-27 16:07:18 +01001893 struct nc_server_tls_opts *opts;
Michal Vasko36c7be82017-02-22 13:37:59 +01001894 int ret;
1895 struct timespec ts_timeout, ts_cur;
Michal Vaskoc61c4492016-01-25 11:13:34 +01001896
Michal Vasko2cc4c682016-03-01 09:16:48 +01001897 opts = session->data;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001898
Michal Vaskoe2713da2016-08-22 16:06:40 +02001899 /* SSL_CTX */
Michal Vasko18aeb5d2017-02-17 09:23:56 +01001900#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
1901 tls_ctx = SSL_CTX_new(TLS_server_method());
1902#else
Michal Vaskoe2713da2016-08-22 16:06:40 +02001903 tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
Michal Vasko18aeb5d2017-02-17 09:23:56 +01001904#endif
Michal Vaskoe2713da2016-08-22 16:06:40 +02001905 if (!tls_ctx) {
Michal Vasko05532772021-06-03 12:12:38 +02001906 ERR(session, "Failed to create TLS context.");
Michal Vaskoe2713da2016-08-22 16:06:40 +02001907 goto error;
1908 }
1909 SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vasko4c1fb492017-01-30 14:31:07 +01001910 if (nc_tls_ctx_set_server_cert_key(tls_ctx, opts->server_cert)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +02001911 goto error;
1912 }
1913
1914 /* X509_STORE, managed (freed) with the context */
1915 cert_store = X509_STORE_new();
1916 SSL_CTX_set_cert_store(tls_ctx, cert_store);
1917
Michal Vasko4c1fb492017-01-30 14:31:07 +01001918 if (nc_tls_store_set_trusted_certs(cert_store, opts->trusted_cert_lists, opts->trusted_cert_list_count)) {
1919 goto error;
Michal Vaskoe2713da2016-08-22 16:06:40 +02001920 }
1921
1922 if (opts->trusted_ca_file) {
1923 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file());
1924 if (!lookup) {
Michal Vasko05532772021-06-03 12:12:38 +02001925 ERR(session, "Failed to add a lookup method.");
Michal Vaskoe2713da2016-08-22 16:06:40 +02001926 goto error;
1927 }
1928
1929 if (X509_LOOKUP_load_file(lookup, opts->trusted_ca_file, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001930 ERR(session, "Failed to add a trusted cert file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoe2713da2016-08-22 16:06:40 +02001931 goto error;
1932 }
1933 }
1934
1935 if (opts->trusted_ca_dir) {
1936 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
1937 if (!lookup) {
Michal Vasko05532772021-06-03 12:12:38 +02001938 ERR(session, "Failed to add a lookup method.");
Michal Vaskoe2713da2016-08-22 16:06:40 +02001939 goto error;
1940 }
1941
1942 if (X509_LOOKUP_add_dir(lookup, opts->trusted_ca_dir, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001943 ERR(session, "Failed to add a trusted cert directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoe2713da2016-08-22 16:06:40 +02001944 goto error;
1945 }
1946 }
1947
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001948 session->ti_type = NC_TI_OPENSSL;
Michal Vaskoe2713da2016-08-22 16:06:40 +02001949 session->ti.tls = SSL_new(tls_ctx);
1950
Michal Vasko4c1fb492017-01-30 14:31:07 +01001951 /* context can be freed already, trusted certs must be freed manually */
Michal Vaskoe2713da2016-08-22 16:06:40 +02001952 SSL_CTX_free(tls_ctx);
1953 tls_ctx = NULL;
Michal Vasko7f1c78b2016-01-19 09:52:14 +01001954
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001955 if (!session->ti.tls) {
Michal Vasko05532772021-06-03 12:12:38 +02001956 ERR(session, "Failed to create TLS structure from context.");
Michal Vaskoe2713da2016-08-22 16:06:40 +02001957 goto error;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001958 }
1959
1960 SSL_set_fd(session->ti.tls, sock);
Michal Vaskoe2713da2016-08-22 16:06:40 +02001961 sock = -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001962 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1963
Michal Vasko6d292992016-01-18 09:42:38 +01001964 /* store session on per-thread basis */
Michal Vasko5c2f7952016-01-22 13:16:31 +01001965 pthread_once(&verify_once, nc_tls_make_verify_key);
1966 pthread_setspecific(verify_key, session);
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001967
Michal Vasko36c7be82017-02-22 13:37:59 +01001968 if (timeout > -1) {
Michal Vaskoe852c8b2017-10-05 10:02:20 +02001969 nc_gettimespec_mono(&ts_timeout);
Michal Vasko36c7be82017-02-22 13:37:59 +01001970 nc_addtimespec(&ts_timeout, timeout);
1971 }
Michal Vasko0190bc32016-03-02 15:47:49 +01001972 while (((ret = SSL_accept(session->ti.tls)) == -1) && (SSL_get_error(session->ti.tls, ret) == SSL_ERROR_WANT_READ)) {
1973 usleep(NC_TIMEOUT_STEP);
Michal Vasko36c7be82017-02-22 13:37:59 +01001974 if (timeout > -1) {
Michal Vaskoe852c8b2017-10-05 10:02:20 +02001975 nc_gettimespec_mono(&ts_cur);
Michal Vasko36c7be82017-02-22 13:37:59 +01001976 if (nc_difftimespec(&ts_cur, &ts_timeout) < 1) {
Michal Vasko05532772021-06-03 12:12:38 +02001977 ERR(session, "SSL_accept timeout.");
Michal Vasko36c7be82017-02-22 13:37:59 +01001978 return 0;
1979 }
Michal Vasko0190bc32016-03-02 15:47:49 +01001980 }
1981 }
Michal Vaskob48aa812016-01-18 14:13:09 +01001982
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001983 if (ret != 1) {
1984 switch (SSL_get_error(session->ti.tls, ret)) {
1985 case SSL_ERROR_SYSCALL:
Michal Vasko05532772021-06-03 12:12:38 +02001986 ERR(session, "SSL_accept failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001987 break;
1988 case SSL_ERROR_SSL:
Michal Vasko05532772021-06-03 12:12:38 +02001989 ERR(session, "SSL_accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001990 break;
1991 default:
Michal Vasko05532772021-06-03 12:12:38 +02001992 ERR(session, "SSL_accept failed.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +01001993 break;
1994 }
1995 return -1;
1996 }
1997
Michal Vasko1a38c862016-01-15 15:50:07 +01001998 return 1;
Michal Vaskoe2713da2016-08-22 16:06:40 +02001999
2000error:
2001 if (sock > -1) {
2002 close(sock);
2003 }
2004 SSL_CTX_free(tls_ctx);
2005 return -1;
Michal Vasko9e036d52016-01-08 10:49:26 +01002006}