Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CTN: obtain client's username from both CA certs and the client cert #491

Merged
merged 1 commit into from
Jul 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions src/session_mbedtls.c
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,38 @@ nc_tls_cert_dup(const mbedtls_x509_crt *cert)
return new_cert;
}

/**
* @brief Duplicate a certificate and append it to a chain.
*
* @param[in] cert Certificate to duplicate and append.
* @param[in,out] chain Chain to append the certificate to.
* @return 0 on success, -1 on error.
*/
static int
nc_server_tls_append_cert_to_chain(mbedtls_x509_crt *cert, mbedtls_x509_crt **chain)
{
mbedtls_x509_crt *iter, *copy;

copy = nc_tls_cert_dup(cert);
if (!copy) {
return -1;
}

if (!*chain) {
/* first in the list */
*chain = copy;
} else {
/* find the last cert */
iter = *chain;
while (iter->next) {
iter = iter->next;
}
iter->next = copy;
}

return 0;
}

/**
* @brief Verify a certificate.
*
Expand All @@ -480,6 +512,13 @@ nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32
struct nc_tls_verify_cb_data *data = cb_data;
char *err;

/* append to the chain we're building */
ret = nc_server_tls_append_cert_to_chain(cert, (mbedtls_x509_crt **)&data->chain);
if (ret) {
nc_tls_cert_destroy_wrap(data->chain);
return MBEDTLS_ERR_X509_ALLOC_FAILED;
}

if (!*flags) {
/* in-built verification was successful */
ret = nc_server_tls_verify_cert(cert, depth, 1, data);
Expand Down Expand Up @@ -509,6 +548,11 @@ nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32
}
}

if ((ret == -1) || (depth == 0)) {
/* free the chain */
nc_tls_cert_destroy_wrap(data->chain);
}

if (ret == -1) {
/* fatal error */
return MBEDTLS_ERR_X509_ALLOC_FAILED;
Expand Down Expand Up @@ -653,6 +697,36 @@ nc_tls_get_san_value_type_wrap(void *sans, int idx, char **san_value, NC_TLS_CTN
return ret;
}

int
nc_tls_get_num_certs_wrap(void *chain)
{
mbedtls_x509_crt *iter;
int n = 0;

/* chain is a linked list */
iter = chain;
while (iter) {
++n;
iter = iter->next;
}

return n;
}

void
nc_tls_get_cert_wrap(void *chain, int idx, void **cert)
{
int i;
mbedtls_x509_crt *iter;

iter = chain;
for (i = 0; i < idx; i++) {
iter = iter->next;
}

*cert = iter;
}

int
nc_server_tls_certs_match_wrap(void *cert1, void *cert2)
{
Expand Down
25 changes: 25 additions & 0 deletions src/session_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,19 @@ nc_server_tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
return 0;
}
data = SSL_CTX_get_ex_data(ctx, 0);
if (!data) {
ERRINT;
return 0;
}

/* get the cert chain once */
if (!data->chain) {
data->chain = X509_STORE_CTX_get0_chain(x509_ctx);
if (!data->chain) {
ERRINT;
return 0;
}
}

/* get current cert and its depth */
cert = X509_STORE_CTX_get_current_cert(x509_ctx);
Expand Down Expand Up @@ -473,6 +486,18 @@ nc_tls_get_san_value_type_wrap(void *sans, int idx, char **san_value, NC_TLS_CTN
return ret;
}

int
nc_tls_get_num_certs_wrap(void *chain)
{
return sk_X509_num(chain);
}

void
nc_tls_get_cert_wrap(void *chain, int idx, void **cert)
{
*cert = sk_X509_value(chain, idx);
}

int
nc_server_tls_certs_match_wrap(void *cert1, void *cert2)
{
Expand Down
Loading