Skip to content

Commit 5fd7862

Browse files
Roytakmichalvasko
Roytak
authored and
michalvasko
committed
session openssl UPDATE enable partial chains
With partial chains enabled the peer can be authenticated even if e.g. there is a chain client <- intermediateCA <- rootCA and only rootCA is configured on the server. Fixes CESNET/netopeer2#1735
1 parent c423d37 commit 5fd7862

File tree

4 files changed

+36
-4
lines changed

4 files changed

+36
-4
lines changed

src/session_client_tls.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -293,7 +293,9 @@ nc_client_tls_session_new(int sock, const char *host, int timeout, struct nc_cli
293293
}
294294

295295
/* set client's verify mode flags */
296-
nc_client_tls_set_verify_wrap(tls_cfg);
296+
if (nc_client_tls_set_verify_wrap(tls_cfg)) {
297+
goto fail;
298+
}
297299

298300
/* init TLS context and store data which may be needed later in it */
299301
if (nc_tls_init_ctx_wrap(cli_cert, cli_pkey, cert_store, crl_store, tls_ctx)) {

src/session_mbedtls.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -674,10 +674,11 @@ nc_server_tls_set_verify_wrap(void *tls_cfg, struct nc_tls_verify_cb_data *cb_da
674674
mbedtls_ssl_conf_verify(tls_cfg, nc_server_tls_verify_cb, cb_data);
675675
}
676676

677-
void
677+
int
678678
nc_client_tls_set_verify_wrap(void *tls_cfg)
679679
{
680680
mbedtls_ssl_conf_authmode(tls_cfg, MBEDTLS_SSL_VERIFY_REQUIRED);
681+
return 0;
681682
}
682683

683684
char *

src/session_openssl.c

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -407,10 +407,38 @@ nc_server_tls_set_verify_wrap(void *tls_cfg, struct nc_tls_verify_cb_data *cb_da
407407
SSL_CTX_set_verify(tls_cfg, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_server_tls_verify_cb);
408408
}
409409

410-
void
410+
int
411411
nc_client_tls_set_verify_wrap(void *tls_cfg)
412412
{
413+
int ret = 0;
414+
X509_VERIFY_PARAM *vpm = NULL;
415+
416+
/* set the verify flag */
413417
SSL_CTX_set_verify(tls_cfg, SSL_VERIFY_PEER, NULL);
418+
419+
vpm = X509_VERIFY_PARAM_new();
420+
NC_CHECK_ERRMEM_RET(!vpm, 1);
421+
422+
/* set the partial chain flag to allow verification of a certificate chain
423+
* to succeed even if the chain is not complete.
424+
* See https://github.com/openssl/openssl/issues/7871
425+
* This is not set for the server, because all the CA certs in the chain
426+
* may be needed for CTN, so such partial chain cases are handled manually. */
427+
if (!X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN)) {
428+
ERR(NULL, "Setting X509_V_FLAG_PARTIAL_CHAIN flag failed (%s).", ERR_reason_error_string(ERR_get_error()));
429+
ret = 1;
430+
goto cleanup;
431+
}
432+
433+
if (!SSL_CTX_set1_param(tls_cfg, vpm)) {
434+
ERR(NULL, "Failed to set verify param (%s).", ERR_reason_error_string(ERR_get_error()));
435+
ret = 1;
436+
goto cleanup;
437+
}
438+
439+
cleanup:
440+
X509_VERIFY_PARAM_free(vpm);
441+
return ret;
414442
}
415443

416444
char *

src/session_wrapper.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -219,8 +219,9 @@ void nc_server_tls_set_verify_wrap(void *tls_cfg, struct nc_tls_verify_cb_data *
219219
* @brief Set TLS client's verify flags.
220220
*
221221
* @param[in] tls_cfg TLS configuration.
222+
* @return 0 on success, 1 on error.
222223
*/
223-
void nc_client_tls_set_verify_wrap(void *tls_cfg);
224+
int nc_client_tls_set_verify_wrap(void *tls_cfg);
224225

225226
/**
226227
* @brief Verify the certificate.

0 commit comments

Comments
 (0)