session wrapper UPDATE store client cert in sess

CESNET · May 14, 2024 · 2b9ce8c · 2b9ce8c
1 parent e64c2cc
commit 2b9ce8c
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 1 deletion.
diff --git a/src/session.c b/src/session.c
@@ -809,7 +809,6 @@ nc_session_free_transport(struct nc_session *session, int *multisession)
         session->ti.tls.config = NULL;
 
         if (session->side == NC_SERVER) {
-            // TODO
             nc_tls_cert_destroy_wrap(session->opts.server.client_cert);
         }
 

diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c
@@ -427,6 +427,24 @@ nc_server_tls_set_tls_versions_wrap(void *tls_cfg, unsigned int tls_versions)
     return 0;
 }
 
+static mbedtls_x509_crt *
+nc_tls_cert_dup(const mbedtls_x509_crt *cert)
+{
+    mbedtls_x509_crt *new_cert;
+
+    new_cert = nc_tls_cert_new_wrap();
+    if (!new_cert) {
+        return NULL;
+    }
+
+    if (mbedtls_x509_crt_parse_der(new_cert, cert->raw.p, cert->raw.len)) {
+        free(new_cert);
+        return NULL;
+    }
+
+    return new_cert;
+}
+
 static int
 nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32_t *flags)
 {
@@ -468,6 +486,13 @@ nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32
         return MBEDTLS_ERR_X509_ALLOC_FAILED;
     } else if (!ret) {
         /* success */
+        if ((depth == 0) && (!data->session->opts.server.client_cert)) {
+            /* copy the client cert */
+            data->session->opts.server.client_cert = nc_tls_cert_dup(cert);
+            if (!data->session->opts.server.client_cert) {
+                return MBEDTLS_ERR_X509_ALLOC_FAILED;
+            }
+        }
         return 0;
     } else {
         if (depth > 0) {

diff --git a/src/session_openssl.c b/src/session_openssl.c
@@ -387,6 +387,11 @@ nc_server_tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
         return 0;
     } else if (!ret) {
         /* success */
+        if ((depth == 0) && (!data->session->opts.server.client_cert)) {
+            /* copy the client cert */
+            data->session->opts.server.client_cert = X509_dup(cert);
+            NC_CHECK_ERRMEM_RET(!data->session->opts.server.client_cert, 0);
+        }
         return 1;
     } else {
         if (depth > 0) {