diff --git a/src/session.c b/src/session.c index 83f3a8aa..8304a4d3 100644 --- a/src/session.c +++ b/src/session.c @@ -809,7 +809,6 @@ nc_session_free_transport(struct nc_session *session, int *multisession) session->ti.tls.config = NULL; if (session->side == NC_SERVER) { - // TODO nc_tls_cert_destroy_wrap(session->opts.server.client_cert); } diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c index 17b03a86..1a53620b 100644 --- a/src/session_mbedtls.c +++ b/src/session_mbedtls.c @@ -427,6 +427,24 @@ nc_server_tls_set_tls_versions_wrap(void *tls_cfg, unsigned int tls_versions) return 0; } +static mbedtls_x509_crt * +nc_tls_cert_dup(const mbedtls_x509_crt *cert) +{ + mbedtls_x509_crt *new_cert; + + new_cert = nc_tls_cert_new_wrap(); + if (!new_cert) { + return NULL; + } + + if (mbedtls_x509_crt_parse_der(new_cert, cert->raw.p, cert->raw.len)) { + free(new_cert); + return NULL; + } + + return new_cert; +} + static int nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32_t *flags) { @@ -468,6 +486,13 @@ nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32 return MBEDTLS_ERR_X509_ALLOC_FAILED; } else if (!ret) { /* success */ + if ((depth == 0) && (!data->session->opts.server.client_cert)) { + /* copy the client cert */ + data->session->opts.server.client_cert = nc_tls_cert_dup(cert); + if (!data->session->opts.server.client_cert) { + return MBEDTLS_ERR_X509_ALLOC_FAILED; + } + } return 0; } else { if (depth > 0) { diff --git a/src/session_openssl.c b/src/session_openssl.c index 3891dc7b..83a5b933 100644 --- a/src/session_openssl.c +++ b/src/session_openssl.c @@ -387,6 +387,11 @@ nc_server_tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) return 0; } else if (!ret) { /* success */ + if ((depth == 0) && (!data->session->opts.server.client_cert)) { + /* copy the client cert */ + data->session->opts.server.client_cert = X509_dup(cert); + NC_CHECK_ERRMEM_RET(!data->session->opts.server.client_cert, 0); + } return 1; } else { if (depth > 0) {