Skip to content

Commit be39192

Browse files
Roytakmichalvasko
Roytak
authored and
michalvasko
committed
session server tls BUGFIX check all matching CTNs
1 parent 21fa225 commit be39192

File tree

1 file changed

+55
-77
lines changed

1 file changed

+55
-77
lines changed

src/session_server_tls.c

Lines changed: 55 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -215,7 +215,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
215215
*username = strdup(common_name);
216216
if (!*username) {
217217
ERRMEM;
218-
return 1;
218+
return -1;
219219
}
220220
free(subject);
221221
} else {
@@ -240,7 +240,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
240240
#endif
241241
if (!*username) {
242242
ERRMEM;
243-
return 1;
243+
return -1;
244244
}
245245
break;
246246
}
@@ -255,7 +255,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
255255
#endif
256256
if (!*username) {
257257
ERRMEM;
258-
return 1;
258+
return -1;
259259
}
260260
break;
261261
}
@@ -314,26 +314,31 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
314314

315315
/* return: 0 - OK, 1 - no match, -1 - error */
316316
static int
317-
nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
317+
nc_tls_cert_to_name(struct nc_session *session, struct nc_ctn *ctn_first, X509 *cert)
318318
{
319319
char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
320320
char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
321321
unsigned char *buf = malloc(64);
322322
unsigned int buf_len = 64;
323323
int ret = 0;
324324
struct nc_ctn *ctn;
325+
NC_TLS_CTN_MAPTYPE map_type;
326+
char *username = NULL;
325327

326328
if (!buf) {
327329
ERRMEM;
328330
return -1;
329331
}
330332

331-
if (!ctn_first || !cert || !map_type || !name) {
333+
if (!session || !ctn_first || !cert) {
332334
free(buf);
333335
return -1;
334336
}
335337

336338
for (ctn = ctn_first; ctn; ctn = ctn->next) {
339+
/* reset map_type */
340+
map_type = NC_TLS_CTN_UNKNOWN;
341+
337342
/* first make sure the entry is valid */
338343
if (!ctn->fingerprint || !ctn->map_type || ((ctn->map_type == NC_TLS_CTN_SPECIFIED) && !ctn->name)) {
339344
VRB(NULL, "Cert verify CTN: entry with id %u not valid, skipping.", ctn->id);
@@ -352,13 +357,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
352357
}
353358

354359
if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
355-
/* we got ourselves a winner! */
360+
/* we got ourselves a potential winner! */
356361
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
357-
*map_type = ctn->map_type;
358-
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
359-
*name = ctn->name;
360-
}
361-
break;
362+
map_type = ctn->map_type;
362363
}
363364

364365
/* SHA-1 */
@@ -373,13 +374,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
373374
}
374375

375376
if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
376-
/* we got ourselves a winner! */
377+
/* we got ourselves a potential winner! */
377378
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
378-
*map_type = ctn->map_type;
379-
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
380-
*name = ctn->name;
381-
}
382-
break;
379+
map_type = ctn->map_type;
383380
}
384381

385382
/* SHA-224 */
@@ -394,13 +391,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
394391
}
395392

396393
if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
397-
/* we got ourselves a winner! */
394+
/* we got ourselves a potential winner! */
398395
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
399-
*map_type = ctn->map_type;
400-
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
401-
*name = ctn->name;
402-
}
403-
break;
396+
map_type = ctn->map_type;
404397
}
405398

406399
/* SHA-256 */
@@ -415,13 +408,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
415408
}
416409

417410
if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
418-
/* we got ourselves a winner! */
411+
/* we got ourselves a potential winner! */
419412
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
420-
*map_type = ctn->map_type;
421-
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
422-
*name = ctn->name;
423-
}
424-
break;
413+
map_type = ctn->map_type;
425414
}
426415

427416
/* SHA-384 */
@@ -436,13 +425,9 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
436425
}
437426

438427
if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
439-
/* we got ourselves a winner! */
428+
/* we got ourselves a potential winner! */
440429
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
441-
*map_type = ctn->map_type;
442-
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
443-
*name = ctn->name;
444-
}
445-
break;
430+
map_type = ctn->map_type;
446431
}
447432

448433
/* SHA-512 */
@@ -457,18 +442,45 @@ nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *ma
457442
}
458443

459444
if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
460-
/* we got ourselves a winner! */
445+
/* we got ourselves a potential winner! */
461446
VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
462-
*map_type = ctn->map_type;
463-
if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
464-
*name = ctn->name;
465-
}
466-
break;
447+
map_type = ctn->map_type;
467448
}
468449

469450
/* unknown */
470451
} else {
471452
WRN(NULL, "Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
453+
continue;
454+
}
455+
456+
if (map_type != NC_TLS_CTN_UNKNOWN) {
457+
/* found a fingerprint match */
458+
if (map_type == NC_TLS_CTN_SPECIFIED) {
459+
/* specified -> get username from the ctn entry */
460+
session->username = strdup(ctn->name);
461+
if (!session->username) {
462+
ERRMEM;
463+
ret = -1;
464+
goto cleanup;
465+
}
466+
} else {
467+
/* try to get the username from the cert with this ctn's map type */
468+
ret = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &username);
469+
if (ret == -1) {
470+
/* fatal error */
471+
goto cleanup;
472+
} else if (ret) {
473+
/* didn't get username, try next ctn entry */
474+
continue;
475+
}
476+
477+
/* success */
478+
session->username = username;
479+
}
480+
481+
/* matching fingerprint found and username obtained, success */
482+
ret = 0;
483+
goto cleanup;
472484
}
473485
}
474486

@@ -507,8 +519,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
507519
const ASN1_INTEGER *serial;
508520
int i, n, rc, depth;
509521
char *cp;
510-
const char *username = NULL;
511-
NC_TLS_CTN_MAPTYPE map_type = 0;
512522
const ASN1_TIME *last_update = NULL, *next_update = NULL;
513523

514524
/* get the thread session */
@@ -655,8 +665,7 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
655665
}
656666

657667
/* cert-to-name */
658-
rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
659-
668+
rc = nc_tls_cert_to_name(session, opts->ctn, cert);
660669
if (rc) {
661670
if (rc == -1) {
662671
/* fatal error */
@@ -666,20 +675,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
666675
goto fail;
667676
}
668677

669-
/* cert-to-name match, now to extract the specific field from the peer cert */
670-
if (map_type == NC_TLS_CTN_SPECIFIED) {
671-
session->username = strdup(username);
672-
} else {
673-
rc = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &cp);
674-
if (rc) {
675-
if (rc == -1) {
676-
depth = 0;
677-
}
678-
goto fail;
679-
}
680-
session->username = cp;
681-
}
682-
683678
VRB(NULL, "Cert verify CTN: new client username recognized as \"%s\".", session->username);
684679

685680
if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
@@ -721,8 +716,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
721716
long serial;
722717
int i, n, rc, depth;
723718
char *cp;
724-
const char *username = NULL;
725-
NC_TLS_CTN_MAPTYPE map_type = 0;
726719
ASN1_TIME *last_update = NULL, *next_update = NULL;
727720

728721
/* get the thread session */
@@ -869,8 +862,7 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
869862
}
870863

871864
/* cert-to-name */
872-
rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
873-
865+
rc = nc_tls_cert_to_name(session, opts->ctn, cert);
874866
if (rc) {
875867
if (rc == -1) {
876868
/* fatal error */
@@ -880,20 +872,6 @@ nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
880872
goto fail;
881873
}
882874

883-
/* cert-to-name match, now to extract the specific field from the peer cert */
884-
if (map_type == NC_TLS_CTN_SPECIFIED) {
885-
session->username = strdup(username);
886-
} else {
887-
rc = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &cp);
888-
if (rc) {
889-
if (rc == -1) {
890-
depth = 0;
891-
}
892-
goto fail;
893-
}
894-
session->username = cp;
895-
}
896-
897875
VRB(session, "Cert verify CTN: new client username recognized as \"%s\".", session->username);
898876

899877
if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {

0 commit comments

Comments
 (0)