Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / da5147743c1b68b57fe5f8ce9e9963c973685f33 / . / src / session_server_tls.c
blob: 179f8eaabb5fe38cb4e0c2606878af3be0ce92f1 [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]2 * \file session_server_tls.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 * 3. Neither the name of the Company nor the names of its contributors
18 * may be used to endorse or promote products derived from this
19 * software without specific prior written permission.
20 *
21 */
22
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]23#define _GNU_SOURCE
24
25#include <string.h>
26#include <poll.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]27#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]28
29#include <openssl/ssl.h>
30#include <openssl/evp.h>
31#include <openssl/err.h>
32#include <openssl/x509v3.h>
33
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]34#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]35#include "session_server_ch.h"
36#include "libnetconf.h"
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]37
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]38struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]39pthread_mutex_t tls_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]40extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]41
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]42static pthread_key_t verify_key;
43static pthread_once_t verify_once = PTHREAD_ONCE_INIT;
44
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]45static char *
46asn1time_to_str(ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]47{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]48 char *cp;
49 BIO *bio;
50 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]51
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]52 if (!t) {
53 return NULL;
54 }
55 bio = BIO_new(BIO_s_mem());
56 if (!bio) {
57 return NULL;
58 }
59 ASN1_TIME_print(bio, t);
60 n = BIO_pending(bio);
61 cp = malloc(n + 1);
62 n = BIO_read(bio, cp, n);
63 if (n < 0) {
64 BIO_free(bio);
65 free(cp);
66 return NULL;
67 }
68 cp[n] = '\0';
69 BIO_free(bio);
70 return cp;
71}
72
73static void
74digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
75{
76 unsigned int i;
77
78 *str = malloc(dig_len * 3);
79 for (i = 0; i < dig_len - 1; ++i) {
80 sprintf((*str) + (i * 3), "%02x:", digest[i]);
81 }
82 sprintf((*str) + (i * 3), "%02x", digest[i]);
83}
84
85/* return NULL - SSL error can be retrieved */
86static X509 *
87base64der_to_cert(const char *in)
88{
89 X509 *out;
90 char *buf;
91 BIO *bio;
92
93 if (in == NULL) {
94 return NULL;
95 }
96
97 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
98 return NULL;
99 }
100 bio = BIO_new_mem_buf(buf, strlen(buf));
101 if (!bio) {
102 free(buf);
103 return NULL;
104 }
105
106 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
107 if (!out) {
108 free(buf);
109 BIO_free(bio);
110 return NULL;
111 }
112
113 free(buf);
114 BIO_free(bio);
115 return out;
116}
117
118/* return NULL - either errno or SSL error */
119static X509 *
120pem_to_cert(const char *path)
121{
122 FILE *fp;
123 X509 *out;
124
125 fp = fopen(path, "r");
126 if (!fp) {
127 return NULL;
128 }
129
130 out = PEM_read_X509(fp, NULL, NULL, NULL);
131 fclose(fp);
132 return out;
133}
134
135static EVP_PKEY *
136base64der_to_privatekey(const char *in, int rsa)
137{
138 EVP_PKEY *out;
139 char *buf;
140 BIO *bio;
141
142 if (in == NULL) {
143 return NULL;
144 }
145
146 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----\n", in, "\n-----END ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----") == -1) {
147 return NULL;
148 }
149 bio = BIO_new_mem_buf(buf, strlen(buf));
150 if (!bio) {
151 free(buf);
152 return NULL;
153 }
154
155 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
156 if (!out) {
157 free(buf);
158 BIO_free(bio);
159 return NULL;
160 }
161
162 free(buf);
163 BIO_free(bio);
164 return out;
165}
166
167static int
168cert_pubkey_match(X509 *cert1, X509 *cert2)
169{
170 ASN1_BIT_STRING *bitstr1, *bitstr2;
171
172 bitstr1 = X509_get0_pubkey_bitstr(cert1);
173 bitstr2 = X509_get0_pubkey_bitstr(cert2);
174
175 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
176 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
177 return 0;
178 }
179
180 return 1;
181}
182
183static int
184nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
185{
186 STACK_OF(GENERAL_NAME) *san_names;
187 GENERAL_NAME *san_name;
188 ASN1_OCTET_STRING *ip;
189 int i, san_count;
190 char *subject, *common_name;
191
192 if (map_type == NC_TLS_CTN_COMMON_NAME) {
193 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
194 common_name = strstr(subject, "CN=");
195 if (!common_name) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]196 WRN("Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]197 free(subject);
198 return 1;
199 }
200 common_name += 3;
201 if (strchr(common_name, '/')) {
202 *strchr(common_name, '/') = '\0';
203 }
204 *username = strdup(common_name);
205 free(subject);
206 } else {
207 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
208 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
209 if (!san_names) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]210 WRN("Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]211 return 1;
212 }
213
214 san_count = sk_GENERAL_NAME_num(san_names);
215 for (i = 0; i < san_count; ++i) {
216 san_name = sk_GENERAL_NAME_value(san_names, i);
217
218 /* rfc822Name (email) */
219 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_RFC822_NAME) &&
220 san_name->type == GEN_EMAIL) {
221 *username = strdup((char *)ASN1_STRING_data(san_name->d.rfc822Name));
222 break;
223 }
224
225 /* dNSName */
226 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_DNS_NAME) &&
227 san_name->type == GEN_DNS) {
228 *username = strdup((char *)ASN1_STRING_data(san_name->d.dNSName));
229 break;
230 }
231
232 /* iPAddress */
233 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_IP_ADDRESS) &&
234 san_name->type == GEN_IPADD) {
235 ip = san_name->d.iPAddress;
236 if (ip->length == 4) {
237 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]238 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]239 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
240 return -1;
241 }
242 break;
243 } else if (ip->length == 16) {
244 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
245 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
246 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
247 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]248 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]249 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
250 return -1;
251 }
252 break;
253 } else {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]254 WRN("SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]255 }
256 }
257 }
258 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
259
260 if (i < san_count) {
261 switch (map_type) {
262 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]263 WRN("Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]264 break;
265 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]266 WRN("Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]267 break;
268 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]269 WRN("Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]270 break;
271 case NC_TLS_CTN_SAN_ANY:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]272 WRN("Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]273 break;
274 default:
275 break;
276 }
277 return 1;
278 }
279 }
280
281 return 0;
282}
283
284/* return: 0 - OK, 1 - no match, -1 - error */
285static int
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]286nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]287{
288 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
289 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]290 unsigned char *buf = malloc(64);
291 unsigned int buf_len = 64;
292 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]293 struct nc_ctn *ctn;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]294
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]295 if (!ctn_first || !cert || !map_type || !name) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]296 free(buf);
297 return -1;
298 }
299
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]300 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]301 /* MD5 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]302 if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]303 if (!digest_md5) {
304 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]305 ERR("Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]306 ret = -1;
307 goto cleanup;
308 }
309 digest_to_str(buf, buf_len, &digest_md5);
310 }
311
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]312 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]313 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]314 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]315 *map_type = ctn->map_type;
316 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
317 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]318 }
319 break;
320 }
321
322 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]323 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]324 if (!digest_sha1) {
325 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]326 ERR("Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]327 ret = -1;
328 goto cleanup;
329 }
330 digest_to_str(buf, buf_len, &digest_sha1);
331 }
332
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]333 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]334 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]335 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]336 *map_type = ctn->map_type;
337 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
338 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]339 }
340 break;
341 }
342
343 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]344 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]345 if (!digest_sha224) {
346 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]347 ERR("Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]348 ret = -1;
349 goto cleanup;
350 }
351 digest_to_str(buf, buf_len, &digest_sha224);
352 }
353
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]354 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]355 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]356 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]357 *map_type = ctn->map_type;
358 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
359 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]360 }
361 break;
362 }
363
364 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]365 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]366 if (!digest_sha256) {
367 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]368 ERR("Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]369 ret = -1;
370 goto cleanup;
371 }
372 digest_to_str(buf, buf_len, &digest_sha256);
373 }
374
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]375 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]376 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]377 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]378 *map_type = ctn->map_type;
379 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
380 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]381 }
382 break;
383 }
384
385 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]386 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]387 if (!digest_sha384) {
388 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]389 ERR("Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]390 ret = -1;
391 goto cleanup;
392 }
393 digest_to_str(buf, buf_len, &digest_sha384);
394 }
395
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]396 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]397 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]398 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]399 *map_type = ctn->map_type;
400 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
401 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]402 }
403 break;
404 }
405
406 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]407 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]408 if (!digest_sha512) {
409 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]410 ERR("Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]411 ret = -1;
412 goto cleanup;
413 }
414 digest_to_str(buf, buf_len, &digest_sha512);
415 }
416
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]417 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]418 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]419 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]420 *map_type = ctn->map_type;
421 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
422 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]423 }
424 break;
425 }
426
427 /* unknown */
428 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]429 WRN("Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]430 }
431 }
432
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]433 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]434 ret = 1;
435 }
436
437cleanup:
438 free(digest_md5);
439 free(digest_sha1);
440 free(digest_sha224);
441 free(digest_sha256);
442 free(digest_sha384);
443 free(digest_sha512);
444 free(buf);
445 return ret;
446}
447
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]448static int
449nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
450{
451 X509_STORE_CTX store_ctx;
452 X509_OBJECT obj;
453 X509_NAME *subject;
454 X509_NAME *issuer;
455 X509 *cert;
456 X509_CRL *crl;
457 X509_REVOKED *revoked;
458 STACK_OF(X509) *cert_stack;
459 EVP_PKEY *pubkey;
460 struct nc_session* session;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]461 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]462 long serial;
463 int i, n, rc, depth;
464 char *cp;
465 const char *username = NULL;
466 NC_TLS_CTN_MAPTYPE map_type = 0;
467 ASN1_TIME *last_update = NULL, *next_update = NULL;
468
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]469 /* get the thread session */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]470 session = pthread_getspecific(verify_key);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]471 if (!session) {
472 ERRINT;
473 return 0;
474 }
475
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]476 opts = session->ti_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]477
478 /* get the last certificate, that is the peer (client) certificate */
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]479 if (!session->tls_cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]480 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
481 /* TODO all that is needed, but function X509_up_ref not present in older OpenSSL versions
482 session->cert = sk_X509_value(cert_stack, sk_X509_num(cert_stack) - 1);
483 X509_up_ref(session->cert);
484 sk_X509_pop_free(cert_stack, X509_free); */
485 while ((cert = sk_X509_pop(cert_stack))) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]486 X509_free(session->tls_cert);
487 session->tls_cert = cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]488 }
489 sk_X509_pop_free(cert_stack, X509_free);
490 }
491
492 /* standard certificate verification failed, so a trusted client cert must match to continue */
493 if (!preverify_ok) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]494 subject = X509_get_subject_name(session->tls_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]495 cert_stack = X509_STORE_get1_certs(x509_ctx, subject);
496 if (cert_stack) {
497 for (i = 0; i < sk_X509_num(cert_stack); ++i) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]498 if (cert_pubkey_match(session->tls_cert, sk_X509_value(cert_stack, i))) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]499 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
500 * this callback will be called again with the same current certificate and preverify_ok == 1 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]501 VRB("Cert verify: fail (%s), but the client certificate is trusted, continuing.",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]502 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
503 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
504 sk_X509_pop_free(cert_stack, X509_free);
505 return 1;
506 }
507 }
508 sk_X509_pop_free(cert_stack, X509_free);
509 }
510
511 ERR("Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
512 return 0;
513 }
514
515 /* print cert verify info */
516 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]517 VRB("Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]518
519 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
520 subject = X509_get_subject_name(cert);
521 issuer = X509_get_issuer_name(cert);
522
523 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]524 VRB("Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]525 OPENSSL_free(cp);
526 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]527 VRB("Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]528 OPENSSL_free(cp);
529
530 /* check for revocation if set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]531 if (opts->crl_store) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]532 /* try to retrieve a CRL corresponding to the _subject_ of
533 * the current certificate in order to verify it's integrity */
534 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]535 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]536 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
537 X509_STORE_CTX_cleanup(&store_ctx);
538 crl = obj.data.crl;
539 if (rc > 0 && crl) {
540 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]541 VRB("Cert verify CRL: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]542 OPENSSL_free(cp);
543
544 last_update = X509_CRL_get_lastUpdate(crl);
545 next_update = X509_CRL_get_nextUpdate(crl);
546 cp = asn1time_to_str(last_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]547 VRB("Cert verify CRL: last update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]548 free(cp);
549 cp = asn1time_to_str(next_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]550 VRB("Cert verify CRL: next update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]551 free(cp);
552
553 /* verify the signature on this CRL */
554 pubkey = X509_get_pubkey(cert);
555 if (X509_CRL_verify(crl, pubkey) <= 0) {
556 ERR("Cert verify CRL: invalid signature.");
557 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
558 X509_OBJECT_free_contents(&obj);
559 if (pubkey) {
560 EVP_PKEY_free(pubkey);
561 }
562 return 0;
563 }
564 if (pubkey) {
565 EVP_PKEY_free(pubkey);
566 }
567
568 /* check date of CRL to make sure it's not expired */
569 if (!next_update) {
570 ERR("Cert verify CRL: invalid nextUpdate field.");
571 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
572 X509_OBJECT_free_contents(&obj);
573 return 0;
574 }
575 if (X509_cmp_current_time(next_update) < 0) {
576 ERR("Cert verify CRL: expired - revoking all certificates.");
577 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
578 X509_OBJECT_free_contents(&obj);
579 return 0;
580 }
581 X509_OBJECT_free_contents(&obj);
582 }
583
584 /* try to retrieve a CRL corresponding to the _issuer_ of
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]585 * the current certificate in order to check for revocation */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]586 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]587 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]588 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
589 X509_STORE_CTX_cleanup(&store_ctx);
590 crl = obj.data.crl;
591 if (rc > 0 && crl) {
592 /* check if the current certificate is revoked by this CRL */
593 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
594 for (i = 0; i < n; i++) {
595 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
596 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
597 serial = ASN1_INTEGER_get(revoked->serialNumber);
598 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]599 ERR("Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.", serial, serial, cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]600 OPENSSL_free(cp);
601 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
602 X509_OBJECT_free_contents(&obj);
603 return 0;
604 }
605 }
606 X509_OBJECT_free_contents(&obj);
607 }
608 }
609
610 /* cert-to-name already successful */
611 if (session->username) {
612 return 1;
613 }
614
615 /* cert-to-name */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]616 rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]617
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]618 if (rc) {
619 if (rc == -1) {
620 /* fatal error */
621 depth = 0;
622 }
623 /* rc == 1 is a normal CTN fail (no match found) */
624 goto fail;
625 }
626
627 /* cert-to-name match, now to extract the specific field from the peer cert */
628 if (map_type == NC_TLS_CTN_SPECIFIED) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]629 nc_ctx_lock(-1, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]630 session->username = lydict_insert(server_opts.ctx, username, 0);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]631 nc_ctx_unlock();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]632 } else {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]633 rc = nc_tls_ctn_get_username_from_cert(session->tls_cert, map_type, &cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]634 if (rc) {
635 if (rc == -1) {
636 depth = 0;
637 }
638 goto fail;
639 }
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]640 nc_ctx_lock(-1, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]641 session->username = lydict_insert_zc(server_opts.ctx, cp);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]642 nc_ctx_unlock();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]643 }
644
645 VRB("Cert verify CTN: new client username recognized as \"%s\".", session->username);
646 return 1;
647
648fail:
649 if (depth > 0) {
650 VRB("Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
651 return 1;
652 }
653
654 VRB("Cert-to-name unsuccessful, dropping the new client.");
655 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
656 return 0;
657}
658
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]659API int
660nc_server_tls_add_endpt_listen(const char *name, const char *address, uint16_t port)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]661{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]662 return nc_server_add_endpt_listen(name, address, port, NC_TI_OPENSSL);
663}
664
665API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame^]666nc_server_tls_endpt_set_address(const char *endpt_name, const char *address)
667{
668 return nc_server_endpt_set_address_port(endpt_name, address, 0, NC_TI_OPENSSL);
669}
670
671API int
672nc_server_tls_endpt_set_port(const char *endpt_name, uint16_t port)
673{
674 return nc_server_endpt_set_address_port(endpt_name, NULL, port, NC_TI_OPENSSL);
675}
676
677API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]678nc_server_tls_del_endpt(const char *name)
679{
680 return nc_server_del_endpt(name, NC_TI_OPENSSL);
681}
682
683static int
684nc_server_tls_set_cert(const char *cert, struct nc_server_tls_opts *opts)
685{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]686 X509 *x509_cert;
687
688 if (!cert) {
689 ERRARG;
690 return -1;
691 }
692
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]693 if (!opts->tls_ctx) {
694 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
695 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]696 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]697 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]698 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]699 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]700 }
701
702 x509_cert = base64der_to_cert(cert);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]703 if (!x509_cert || (SSL_CTX_use_certificate(opts->tls_ctx, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]704 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]705 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]706 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]707 }
708 X509_free(x509_cert);
709
710 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]711
712fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]713 return -1;
714}
715
716API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]717nc_server_tls_endpt_set_cert(const char *endpt_name, const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]718{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]719 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]720 struct nc_endpt *endpt;
721
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]722 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]723 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]724 return -1;
725 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]726 ret = nc_server_tls_set_cert(cert, endpt->ti_opts);
727 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]728
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]729 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]730}
731
732API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]733nc_server_tls_ch_set_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]734{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]735 int ret;
736
737 /* OPTS LOCK */
738 pthread_mutex_lock(&tls_ch_opts_lock);
739 ret = nc_server_tls_set_cert(cert, &tls_ch_opts);
740 /* OPTS UNLOCK */
741 pthread_mutex_unlock(&tls_ch_opts_lock);
742
743 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]744}
745
746static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]747nc_server_tls_set_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]748{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]749 if (!cert_path) {
750 ERRARG;
751 return -1;
752 }
753
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]754 if (!opts->tls_ctx) {
755 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
756 if (!opts->tls_ctx) {
757 ERR("Failed to create TLS context.");
758 goto fail;
759 }
760 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
761 }
762
763 if (SSL_CTX_use_certificate_file(opts->tls_ctx, cert_path, SSL_FILETYPE_PEM) != 1) {
764 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
765 goto fail;
766 }
767
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]768 return 0;
769
770fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]771 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]772}
773
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]774API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame^]775nc_server_tls_endpt_set_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]776{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]777 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]778 struct nc_endpt *endpt;
779
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]780 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]781 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]782 return -1;
783 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]784 ret = nc_server_tls_set_cert_path(cert_path, endpt->ti_opts);
785 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]786
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]787 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]788}
789
790API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]791nc_server_tls_ch_set_cert_path(const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]792{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]793 int ret;
794
795 /* OPTS LOCK */
796 pthread_mutex_lock(&tls_ch_opts_lock);
797 ret = nc_server_tls_set_cert_path(cert_path, &tls_ch_opts);
798 /* OPTS UNLOCK */
799 pthread_mutex_unlock(&tls_ch_opts_lock);
800
801 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]802}
803
804static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]805nc_server_tls_set_key(const char *privkey, int is_rsa, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]806{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]807 EVP_PKEY *key;;
808
809 if (!privkey) {
810 ERRARG;
811 return -1;
812 }
813
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]814 if (!opts->tls_ctx) {
815 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
816 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]817 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]818 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]819 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]820 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]821 }
822
823 key = base64der_to_privatekey(privkey, is_rsa);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]824 if (!key || (SSL_CTX_use_PrivateKey(opts->tls_ctx, key) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]825 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]826 EVP_PKEY_free(key);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]827 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]828 }
829 EVP_PKEY_free(key);
830
831 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]832
833fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]834 return -1;
835}
836
837API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]838nc_server_tls_endpt_set_key(const char *endpt_name, const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]839{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]840 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]841 struct nc_endpt *endpt;
842
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]843 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]844 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]845 return -1;
846 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]847 ret = nc_server_tls_set_key(privkey, is_rsa, endpt->ti_opts);
848 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]849
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]850 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]851}
852
853API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]854nc_server_tls_ch_set_key(const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]855{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]856 int ret;
857
858 /* OPTS LOCK */
859 pthread_mutex_lock(&tls_ch_opts_lock);
860 ret = nc_server_tls_set_key(privkey, is_rsa, &tls_ch_opts);
861 /* OPTS UNLOCK */
862 pthread_mutex_unlock(&tls_ch_opts_lock);
863
864 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]865}
866
867static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]868nc_server_tls_set_key_path(const char *privkey_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]869{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]870 if (!privkey_path) {
871 ERRARG;
872 return -1;
873 }
874
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]875 if (!opts->tls_ctx) {
876 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
877 if (!opts->tls_ctx) {
878 ERR("Failed to create TLS context.");
879 goto fail;
880 }
881 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
882 }
883
884 if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, privkey_path, SSL_FILETYPE_PEM) != 1) {
885 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
886 goto fail;
887 }
888
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]889 return 0;
890
891fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]892 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]893}
894
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]895API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]896nc_server_tls_endpt_set_key_path(const char *endpt_name, const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]897{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]898 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]899 struct nc_endpt *endpt;
900
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]901 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]902 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]903 return -1;
904 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]905 ret = nc_server_tls_set_key_path(privkey_path, endpt->ti_opts);
906 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]907
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]908 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]909}
910
911API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]912nc_server_tls_ch_set_key_path(const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]913{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]914 int ret;
915
916 /* OPTS LOCK */
917 pthread_mutex_lock(&tls_ch_opts_lock);
918 ret = nc_server_tls_set_key_path(privkey_path, &tls_ch_opts);
919 /* OPTS UNLOCK */
920 pthread_mutex_unlock(&tls_ch_opts_lock);
921
922 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]923}
924
925static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]926nc_server_tls_add_trusted_cert(const char *cert, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]927{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]928 X509_STORE *cert_store;
929 X509 *x509_cert;
930
931 if (!cert) {
932 ERRARG;
933 return -1;
934 }
935
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]936 if (!opts->tls_ctx) {
937 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
938 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]939 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]940 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]941 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]942 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]943 }
944
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]945 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]946 if (!cert_store) {
947 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]948 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]949 }
950
951 x509_cert = base64der_to_cert(cert);
952 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]953 ERR("Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]954 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]955 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]956 }
957 X509_free(x509_cert);
958
959 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]960
961fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]962 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]963}
964
965API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]966nc_server_tls_endpt_add_trusted_cert(const char *endpt_name, const char *cert)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]967{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]968 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]969 struct nc_endpt *endpt;
970
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]971 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]972 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]973 return -1;
974 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]975 ret = nc_server_tls_add_trusted_cert(cert, endpt->ti_opts);
976 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]977
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]978 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]979}
980
981API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]982nc_server_tls_ch_add_trusted_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]983{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]984 int ret;
985
986 /* OPTS LOCK */
987 pthread_mutex_lock(&tls_ch_opts_lock);
988 ret = nc_server_tls_add_trusted_cert(cert, &tls_ch_opts);
989 /* OPTS UNLOCK */
990 pthread_mutex_unlock(&tls_ch_opts_lock);
991
992 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]993}
994
995static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]996nc_server_tls_add_trusted_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]997{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]998 X509_STORE *cert_store;
999 X509 *x509_cert;
1000
1001 if (!cert_path) {
1002 ERRARG;
1003 return -1;
1004 }
1005
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1006 if (!opts->tls_ctx) {
1007 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1008 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1009 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1010 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1011 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1012 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1013 }
1014
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1015 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1016 if (!cert_store) {
1017 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1018 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1019 }
1020
1021 errno = 0;
1022 x509_cert = pem_to_cert(cert_path);
1023 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1024 ERR("Adding a trusted certificate failed (%s).",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1025 (errno ? strerror(errno) : ERR_reason_error_string(ERR_get_error())));
1026 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1027 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1028 }
1029 X509_free(x509_cert);
1030
1031 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1032
1033fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1034 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1035}
1036
1037API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1038nc_server_tls_endpt_add_trusted_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1039{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1040 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1041 struct nc_endpt *endpt;
1042
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1043 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1044 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1045 return -1;
1046 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1047 ret = nc_server_tls_add_trusted_cert_path(cert_path, endpt->ti_opts);
1048 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1049
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1050 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1051}
1052
1053API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1054nc_server_tls_ch_add_trusted_cert_path(const char *cert_path)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1055{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1056 int ret;
1057
1058 /* OPTS LOCK */
1059 pthread_mutex_lock(&tls_ch_opts_lock);
1060 ret = nc_server_tls_add_trusted_cert_path(cert_path, &tls_ch_opts);
1061 /* OPTS UNLOCK */
1062 pthread_mutex_unlock(&tls_ch_opts_lock);
1063
1064 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1065}
1066
1067static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1068nc_server_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1069{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1070 X509_STORE *cert_store;
1071 X509_LOOKUP *lookup;
1072
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1073 if (!ca_file && !ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1074 ERRARG;
1075 return -1;
1076 }
1077
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1078 if (!opts->tls_ctx) {
1079 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1080 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1081 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1082 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1083 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1084 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1085 }
1086
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1087 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1088 if (!cert_store) {
1089 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1090 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1091 }
1092
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1093 if (ca_file) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1094 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file());
1095 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1096 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1097 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1098 }
1099
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1100 if (X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1101 ERR("Failed to add a trusted cert file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1102 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1103 }
1104 }
1105
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1106 if (ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1107 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
1108 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1109 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1110 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1111 }
1112
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1113 if (X509_LOOKUP_add_dir(lookup, ca_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1114 ERR("Failed to add a trusted cert directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1115 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1116 }
1117 }
1118
1119 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1120
1121fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1122 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1123}
1124
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1125API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1126nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1127{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1128 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1129 struct nc_endpt *endpt;
1130
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1131 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1132 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1133 return -1;
1134 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1135 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->ti_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1136 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1137
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1138 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1139}
1140
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1141API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1142nc_server_tls_ch_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1143{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1144 int ret;
1145
1146 /* OPTS LOCK */
1147 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1148 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1149 /* OPTS UNLOCK */
1150 pthread_mutex_unlock(&tls_ch_opts_lock);
1151
1152 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1153}
1154
1155static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1156nc_server_tls_clear_certs(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1157{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1158 if (!opts->tls_ctx) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1159 return;
1160 }
1161
1162 SSL_CTX_free(opts->tls_ctx);
1163 opts->tls_ctx = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1164}
1165
1166API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1167nc_server_tls_endpt_clear_certs(const char *endpt_name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1168{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1169 struct nc_endpt *endpt;
1170
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1171 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1172 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1173 return;
1174 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1175 nc_server_tls_clear_certs(endpt->ti_opts);
1176 nc_server_endpt_unlock(endpt);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1177}
1178
1179API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1180nc_server_tls_ch_clear_certs(void)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1181{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1182 /* OPTS LOCK */
1183 pthread_mutex_lock(&tls_ch_opts_lock);
1184 nc_server_tls_clear_certs(&tls_ch_opts);
1185 /* OPTS UNLOCK */
1186 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1187}
1188
1189static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1190nc_server_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1191{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1192 X509_LOOKUP *lookup;
1193
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1194 if (!crl_file && !crl_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1195 ERRARG;
1196 return -1;
1197 }
1198
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1199 if (!opts->crl_store) {
1200 opts->crl_store = X509_STORE_new();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1201 }
1202
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1203 if (crl_file) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1204 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1205 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1206 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1207 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1208 }
1209
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1210 if (X509_LOOKUP_load_file(lookup, crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1211 ERR("Failed to add a revocation lookup file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1212 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1213 }
1214 }
1215
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1216 if (crl_dir) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1217 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1218 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1219 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1220 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1221 }
1222
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1223 if (X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1224 ERR("Failed to add a revocation lookup directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1225 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1226 }
1227 }
1228
1229 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1230
1231fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1232 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1233}
1234
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1235API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1236nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1237{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1238 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1239 struct nc_endpt *endpt;
1240
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1241 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1242 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1243 return -1;
1244 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1245 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->ti_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1246 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1247
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1248 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1249}
1250
1251API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1252nc_server_tls_ch_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1253{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1254 int ret;
1255
1256 /* OPTS LOCK */
1257 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1258 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1259 /* OPTS UNLOCK */
1260 pthread_mutex_unlock(&tls_ch_opts_lock);
1261
1262 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1263}
1264
1265static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1266nc_server_tls_clear_crls(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1267{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1268 if (!opts->crl_store) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1269 return;
1270 }
1271
1272 X509_STORE_free(opts->crl_store);
1273 opts->crl_store = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1274}
1275
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1276API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1277nc_server_tls_endpt_clear_crls(const char *endpt_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1278{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1279 struct nc_endpt *endpt;
1280
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1281 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1282 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1283 return;
1284 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1285 nc_server_tls_clear_crls(endpt->ti_opts);
1286 nc_server_endpt_unlock(endpt);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1287}
1288
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1289API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1290nc_server_tls_ch_clear_crls(void)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1291{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1292 /* OPTS LOCK */
1293 pthread_mutex_lock(&tls_ch_opts_lock);
1294 nc_server_tls_clear_crls(&tls_ch_opts);
1295 /* OPTS UNLOCK */
1296 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1297}
1298
1299static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1300nc_server_tls_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1301{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1302 struct nc_ctn *ctn, *new;
1303
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1304 if (!fingerprint || !map_type || ((map_type == NC_TLS_CTN_SPECIFIED) && !name)
1305 || ((map_type != NC_TLS_CTN_SPECIFIED) && name)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1306 ERRARG;
1307 return -1;
1308 }
1309
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1310 new = malloc(sizeof *new);
1311
1312 nc_ctx_lock(-1, NULL);
1313 new->fingerprint = lydict_insert(server_opts.ctx, fingerprint, 0);
1314 new->name = lydict_insert(server_opts.ctx, name, 0);
1315 nc_ctx_unlock();
1316 new->id = id;
1317 new->map_type = map_type;
1318 new->next = NULL;
1319
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1320 if (!opts->ctn) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1321 /* the first item */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1322 opts->ctn = new;
1323 } else if (opts->ctn->id > id) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1324 /* insert at the beginning */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1325 new->next = opts->ctn;
1326 opts->ctn = new;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1327 } else {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1328 for (ctn = opts->ctn; ctn->next && ctn->next->id <= id; ctn = ctn->next);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1329 /* insert after ctn */
1330 new->next = ctn->next;
1331 ctn->next = new;
1332 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1333
1334 return 0;
1335}
1336
1337API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1338nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1339{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1340 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1341 struct nc_endpt *endpt;
1342
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1343 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1344 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1345 return -1;
1346 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1347 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
1348 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1349
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1350 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1351}
1352
1353API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1354nc_server_tls_ch_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1355{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1356 int ret;
1357
1358 /* OPTS LOCK */
1359 pthread_mutex_lock(&tls_ch_opts_lock);
1360 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1361 /* OPTS UNLOCK */
1362 pthread_mutex_unlock(&tls_ch_opts_lock);
1363
1364 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1365}
1366
1367static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1368nc_server_tls_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1369{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1370 struct nc_ctn *ctn, *next, *prev;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1371 int ret = -1;
1372
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1373 if ((id < 0) && !fingerprint && !map_type && !name) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1374 ctn = opts->ctn;
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1375 nc_ctx_lock(-1, NULL);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1376 while (ctn) {
1377 lydict_remove(server_opts.ctx, ctn->fingerprint);
1378 lydict_remove(server_opts.ctx, ctn->name);
1379
1380 next = ctn->next;
1381 free(ctn);
1382 ctn = next;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1383
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1384 ret = 0;
1385 }
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1386 nc_ctx_unlock();
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1387 opts->ctn = NULL;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1388 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1389 prev = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1390 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1391 while (ctn) {
1392 if (((id < 0) || (ctn->id == id))
1393 && (!fingerprint || !strcmp(ctn->fingerprint, fingerprint))
1394 && (!map_type || (ctn->map_type == map_type))
1395 && (!name || (ctn->name && !strcmp(ctn->name, name)))) {
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1396 nc_ctx_lock(-1, NULL);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1397 lydict_remove(server_opts.ctx, ctn->fingerprint);
1398 lydict_remove(server_opts.ctx, ctn->name);
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1399 nc_ctx_unlock();
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1400
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1401 if (prev) {
1402 prev->next = ctn->next;
1403 next = ctn->next;
1404 } else {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1405 opts->ctn = ctn->next;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1406 next = ctn->next;
1407 }
1408 free(ctn);
1409 ctn = next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1410
1411 ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1412 } else {
1413 prev = ctn;
1414 ctn = ctn->next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1415 }
1416 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1417 }
1418
1419 return ret;
1420}
1421
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1422API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1423nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1424{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1425 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1426 struct nc_endpt *endpt;
1427
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1428 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1429 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1430 return -1;
1431 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1432 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
1433 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1434
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1435 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1436}
1437
1438API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1439nc_server_tls_ch_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1440{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1441 int ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1442
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1443 /* OPTS LOCK */
1444 pthread_mutex_lock(&tls_ch_opts_lock);
1445 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1446 /* OPTS UNLOCK */
1447 pthread_mutex_unlock(&tls_ch_opts_lock);
1448
1449 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1450}
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1451
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1452void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1453nc_server_tls_clear_opts(struct nc_server_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1454{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1455 nc_server_tls_clear_certs(opts);
1456 nc_server_tls_clear_crls(opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1457 nc_server_tls_del_ctn(-1, NULL, 0, NULL, opts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1458}
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1459
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1460API void
1461nc_server_tls_ch_clear_opts(void)
1462{
1463 /* OPTS LOCK */
1464 pthread_mutex_lock(&tls_ch_opts_lock);
1465 nc_server_tls_clear_opts(&tls_ch_opts);
1466 /* OPTS UNLOCK */
1467 pthread_mutex_unlock(&tls_ch_opts_lock);
1468}
1469
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1470static void
1471nc_tls_make_verify_key(void)
1472{
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1473 pthread_key_create(&verify_key, NULL);
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1474}
1475
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1476API int
1477nc_connect_callhome_tls(const char *host, uint16_t port, int timeout, struct nc_session **session)
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1478{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1479 return nc_connect_callhome(host, port, NC_TI_OPENSSL, timeout, session);
1480}
1481
1482int
1483nc_accept_tls_session(struct nc_session *session, int sock, int timeout)
1484{
1485 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1486 struct pollfd pfd;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1487 struct timespec old_ts, new_ts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1488 int ret, elapsed = 0;
1489
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1490 opts = session->ti_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1491
1492 pfd.fd = sock;
1493 pfd.events = POLLIN;
1494 pfd.revents = 0;
1495
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1496 if (timeout > 0) {
1497 clock_gettime(CLOCK_MONOTONIC_RAW, &old_ts);
1498 }
1499
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1500 /* poll for a new connection */
1501 errno = 0;
1502 ret = poll(&pfd, 1, timeout);
1503 if (!ret) {
1504 /* we timeouted */
1505 close(sock);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1506 return 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1507 } else if (ret == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1508 ERR("poll failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1509 close(sock);
1510 return -1;
1511 }
1512
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1513 if (timeout > 0) {
1514 /* decrease timeout */
1515 clock_gettime(CLOCK_MONOTONIC_RAW, &new_ts);
1516
1517 elapsed = (new_ts.tv_sec - old_ts.tv_sec) * 1000;
1518 elapsed += (new_ts.tv_nsec - old_ts.tv_nsec) / 1000000;
1519 }
1520
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1521 /* data waiting, prepare session */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1522 session->ti_type = NC_TI_OPENSSL;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1523
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1524 session->ti.tls = SSL_new(opts->tls_ctx);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1525
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1526 if (!session->ti.tls) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1527 ERR("Failed to create TLS structure from context.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1528 close(sock);
1529 return -1;
1530 }
1531
1532 SSL_set_fd(session->ti.tls, sock);
1533 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1534
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1535 /* store session on per-thread basis */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1536 pthread_once(&verify_once, nc_tls_make_verify_key);
1537 pthread_setspecific(verify_key, session);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1538
1539 ret = SSL_accept(session->ti.tls);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1540
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1541 if (ret != 1) {
1542 switch (SSL_get_error(session->ti.tls, ret)) {
1543 case SSL_ERROR_SYSCALL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1544 ERR("SSL_accept failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1545 break;
1546 case SSL_ERROR_SSL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1547 ERR("SSL_accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1548 break;
1549 default:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1550 ERR("SSL_accept failed.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1551 break;
1552 }
1553 return -1;
1554 }
1555
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1556 return 1;
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1557}