Skip to content

Commit

Permalink
session server tls BUGFIX check all matching CTNs
Browse files Browse the repository at this point in the history
  • Loading branch information
@michalvasko
Roytak authored and michalvasko committed Aug 7, 2023
1 parent 21fa225 commit be39192
Showing 1 changed file with 55 additions and 77 deletions.
132 changes: 55 additions & 77 deletions src/session_server_tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
*username = strdup(common_name);
if (!*username) {
ERRMEM;
return 1;
return -1;
}
free(subject);
} else {
Expand All @@ -240,7 +240,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
#endif
if (!*username) {
ERRMEM;
return 1;
return -1;
}
break;
}
Expand All @@ -255,7 +255,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
#endif
if (!*username) {
ERRMEM;
return 1;
return -1;
}
break;
}
Expand Down Expand Up @@ -314,26 +314,31 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type

/* return: 0 - OK, 1 - no match, -1 - error */
static int
nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
nc_tls_cert_to_name(struct nc_session *session, struct nc_ctn *ctn_first, X509 *cert)
{
char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
unsigned char *buf = malloc(64);
unsigned int buf_len = 64;
int ret = 0;
struct nc_ctn *ctn;
NC_TLS_CTN_MAPTYPE map_type;
char *username = NULL;

if (!buf) {
ERRMEM;
return -1;
}

if (!ctn_first || !cert || !map_type || !name) {
if (!session || !ctn_first || !cert) {
free(buf);
return -1;
}

for (ctn = ctn_first; ctn; ctn = ctn->next) {
/* reset map_type */
map_type = NC_TLS_CTN_UNKNOWN;

/* first make sure the entry is valid */
if (!ctn->fingerprint || !ctn->map_type || ((ctn->map_type == NC_TLS_CTN_SPECIFIED) && !ctn->name)) {
VRB(NULL, "Cert verify CTN: entry with id %u not valid, skipping.", ctn->id);
Expand All @@ -352,13 +357,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
}

if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
/* we got ourselves a winner! */
/* we got ourselves a potential winner! */
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
*map_type = ctn->map_type;
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
*name = ctn->name;
}
break;
map_type = ctn->map_type;
}

/* SHA-1 */
Expand All @@ -373,13 +374,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
}

if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
/* we got ourselves a winner! */
/* we got ourselves a potential winner! */
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
*map_type = ctn->map_type;
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
*name = ctn->name;
}
break;
map_type = ctn->map_type;
}

/* SHA-224 */
Expand All @@ -394,13 +391,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
}

if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
/* we got ourselves a winner! */
/* we got ourselves a potential winner! */
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
*map_type = ctn->map_type;
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
*name = ctn->name;
}
break;
map_type = ctn->map_type;
}

/* SHA-256 */
Expand All @@ -415,13 +408,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
}

if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
/* we got ourselves a winner! */
/* we got ourselves a potential winner! */
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
*map_type = ctn->map_type;
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
*name = ctn->name;
}
break;
map_type = ctn->map_type;
}

/* SHA-384 */
Expand All @@ -436,13 +425,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
}

if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
/* we got ourselves a winner! */
/* we got ourselves a potential winner! */
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
*map_type = ctn->map_type;
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
*name = ctn->name;
}
break;
map_type = ctn->map_type;
}

/* SHA-512 */
Expand All @@ -457,18 +442,45 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
}

if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
/* we got ourselves a winner! */
/* we got ourselves a potential winner! */
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
*map_type = ctn->map_type;
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
*name = ctn->name;
}
break;
map_type = ctn->map_type;
}

/* unknown */
} else {
WRN(NULL, "Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
continue;
}

if (map_type != NC_TLS_CTN_UNKNOWN) {
/* found a fingerprint match */
if (map_type == NC_TLS_CTN_SPECIFIED) {
/* specified -> get username from the ctn entry */
session->username = strdup(ctn->name);
if (!session->username) {
ERRMEM;
ret = -1;
goto cleanup;
}
} else {
/* try to get the username from the cert with this ctn's map type */
ret = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &username);
if (ret == -1) {
/* fatal error */
goto cleanup;
} else if (ret) {
/* didn't get username, try next ctn entry */
continue;
}

/* success */
session->username = username;
}

/* matching fingerprint found and username obtained, success */
ret = 0;
goto cleanup;
}
}

Expand Down Expand Up @@ -507,8 +519,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
const ASN1_INTEGER *serial;
int i, n, rc, depth;
char *cp;
const char *username = NULL;
NC_TLS_CTN_MAPTYPE map_type = 0;
const ASN1_TIME *last_update = NULL, *next_update = NULL;

/* get the thread session */
Expand Down Expand Up @@ -655,8 +665,7 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
}

/* cert-to-name */
rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);

rc = nc_tls_cert_to_name(session, opts->ctn, cert);
if (rc) {
if (rc == -1) {
/* fatal error */
Expand All @@ -666,20 +675,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
goto fail;
}

/* cert-to-name match, now to extract the specific field from the peer cert */
if (map_type == NC_TLS_CTN_SPECIFIED) {
session->username = strdup(username);
} else {
rc = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &cp);
if (rc) {
if (rc == -1) {
depth = 0;
}
goto fail;
}
session->username = cp;
}

VRB(NULL, "Cert verify CTN: new client username recognized as \"%s\".", session->username);

if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
Expand Down Expand Up @@ -721,8 +716,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
long serial;
int i, n, rc, depth;
char *cp;
const char *username = NULL;
NC_TLS_CTN_MAPTYPE map_type = 0;
ASN1_TIME *last_update = NULL, *next_update = NULL;

/* get the thread session */
Expand Down Expand Up @@ -869,8 +862,7 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
}

/* cert-to-name */
rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);

rc = nc_tls_cert_to_name(session, opts->ctn, cert);
if (rc) {
if (rc == -1) {
/* fatal error */
Expand All @@ -880,20 +872,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
goto fail;
}

/* cert-to-name match, now to extract the specific field from the peer cert */
if (map_type == NC_TLS_CTN_SPECIFIED) {
session->username = strdup(username);
} else {
rc = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &cp);
if (rc) {
if (rc == -1) {
depth = 0;
}
goto fail;
}
session->username = cp;
}

VRB(session, "Cert verify CTN: new client username recognized as \"%s\".", session->username);

if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
Expand Down

0 comments on commit be39192

Please sign in to comment.