session openssl BUGFIX enable auto chain building

Roytak · michalvasko · commit c423d37f9871 · 2025-06-09T11:01:33.000+02:00
diff --git a/src/session_client_tls.c b/src/session_client_tls.c
@@ -304,7 +304,7 @@ nc_client_tls_session_new(int sock, const char *host, int timeout, struct nc_cli
     cli_cert = cli_pkey = cert_store = crl_store = NULL;
 
     /* setup config from ctx */
-    if (nc_tls_setup_config_from_ctx_wrap(tls_ctx, NC_CLIENT, tls_cfg)) {
+    if (nc_tls_setup_config_from_ctx_wrap(tls_ctx, tls_cfg)) {
         goto fail;
     }
 
diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c
@@ -295,14 +295,29 @@ nc_tls_session_destroy_wrap(void *tls_session)
 }
 
 void *
-nc_tls_config_new_wrap(int UNUSED(side))
+nc_tls_config_new_wrap(int side)
 {
+    int r;
     mbedtls_ssl_config *tls_cfg;
 
     tls_cfg = malloc(sizeof *tls_cfg);
     NC_CHECK_ERRMEM_RET(!tls_cfg, NULL);
 
     mbedtls_ssl_config_init(tls_cfg);
+
+    /* set default config data */
+    if (side == NC_SERVER) {
+        r = mbedtls_ssl_config_defaults(tls_cfg, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
+    } else {
+        r = mbedtls_ssl_config_defaults(tls_cfg, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
+    }
+    if (r) {
+        nc_mbedtls_strerr(NULL, r, "Setting default TLS config failed");
+        mbedtls_ssl_config_free(tls_cfg);
+        free(tls_cfg);
+        return NULL;
+    }
+
     return tls_cfg;
 }
 
@@ -1143,27 +1158,15 @@ nc_tls_init_ctx_wrap(void *cert, void *pkey, void *cert_store, void *crl_store,
 }
 
 int
-nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, int side, void *tls_cfg)
+nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, void *tls_cfg)
 {
-    int rc;
-
-    /* set default config data */
-    if (side == NC_SERVER) {
-        rc = mbedtls_ssl_config_defaults(tls_cfg, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
-    } else {
-        rc = mbedtls_ssl_config_defaults(tls_cfg, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
-    }
-    if (rc) {
-        nc_mbedtls_strerr(NULL, rc, "Setting default TLS config failed");
-        return 1;
-    }
-
     /* set config's rng */
     mbedtls_ssl_conf_rng(tls_cfg, mbedtls_ctr_drbg_random, tls_ctx->ctr_drbg);
     /* set config's cert and key */
     mbedtls_ssl_conf_own_cert(tls_cfg, tls_ctx->cert, tls_ctx->pkey);
     /* set config's CA and CRL cert store */
     mbedtls_ssl_conf_ca_chain(tls_cfg, tls_ctx->cert_store, tls_ctx->crl_store);
+
     return 0;
 }
 
diff --git a/src/session_openssl.c b/src/session_openssl.c
@@ -777,7 +777,7 @@ nc_tls_move_crls_to_store(const X509_STORE *src, X509_STORE *dst)
 }
 
 int
-nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, int side, void *tls_cfg)
+nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, void *tls_cfg)
 {
     if (SSL_CTX_use_certificate(tls_cfg, tls_ctx->cert) != 1) {
         ERR(NULL, "Setting up TLS certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
@@ -789,11 +789,6 @@ nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, int side, void *tl
         return 1;
     }
 
-    /* disable server-side automatic chain building */
-    if (side == NC_SERVER) {
-        SSL_CTX_set_mode(tls_cfg, SSL_MODE_NO_AUTO_CHAIN);
-    }
-
     if (tls_ctx->crl_store) {
         /* move CRLs from crl_store to cert_store, because SSL_CTX can only have one store */
         if (nc_tls_move_crls_to_store(tls_ctx->crl_store, tls_ctx->cert_store)) {
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
@@ -885,7 +885,7 @@ nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opt
     srv_cert = srv_pkey = cert_store = crl_store = NULL;
 
     /* setup config from ctx */
-    if (nc_tls_setup_config_from_ctx_wrap(&session->ti.tls.ctx, NC_SERVER, tls_cfg)) {
+    if (nc_tls_setup_config_from_ctx_wrap(&session->ti.tls.ctx, tls_cfg)) {
         goto fail;
     }
     session->ti.tls.config = tls_cfg;
diff --git a/src/session_wrapper.h b/src/session_wrapper.h
@@ -451,11 +451,10 @@ int nc_tls_init_ctx_wrap(void *cert, void *pkey, void *cert_store, void *crl_sto
  * @brief Setup a TLS configuration from a TLS context.
  *
  * @param[in] tls_ctx TLS context.
- * @param[in] side Side of the TLS connection.
  * @param[in,out] tls_cfg TLS configuration.
  * @return 0 on success, non-zero on fail.
  */
-int nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, int side, void *tls_cfg);
+int nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, void *tls_cfg);
 
 /**
  * @brief Get the error code from a TLS session's verification.

Original file line number	Diff line number	Diff line change
`@@ -304,7 +304,7 @@ nc_client_tls_session_new(int sock, const char *host, int timeout, struct nc_cli`
`304`	`304`	`cli_cert = cli_pkey = cert_store = crl_store = NULL;`
`305`	`305`
`306`	`306`	`/* setup config from ctx */`
`307`		`- if (nc_tls_setup_config_from_ctx_wrap(tls_ctx, NC_CLIENT, tls_cfg)) {`
	`307`	`+ if (nc_tls_setup_config_from_ctx_wrap(tls_ctx, tls_cfg)) {`
`308`	`308`	`goto fail;`
`309`	`309`	`}`
`310`	`310`
Original file line number	Diff line number	Diff line change
`@@ -777,7 +777,7 @@ nc_tls_move_crls_to_store(const X509_STORE src, X509_STORE dst)`
`777`	`777`	`}`
`778`	`778`
`779`	`779`	`int`
`780`		`-nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx tls_ctx, int side, void tls_cfg)`
	`780`	`+nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx tls_ctx, void tls_cfg)`
`781`	`781`	`{`
`782`	`782`	`if (SSL_CTX_use_certificate(tls_cfg, tls_ctx->cert) != 1) {`
`783`	`783`	`ERR(NULL, "Setting up TLS certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));`
`@@ -789,11 +789,6 @@ nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx tls_ctx, int side, void tl`
`789`	`789`	`return 1;`
`790`	`790`	`}`
`791`	`791`
`792`		`- /* disable server-side automatic chain building */`
`793`		`- if (side == NC_SERVER) {`
`794`		`- SSL_CTX_set_mode(tls_cfg, SSL_MODE_NO_AUTO_CHAIN);`
`795`		`- }`
`796`		`-`
`797`	`792`	`if (tls_ctx->crl_store) {`
`798`	`793`	`/* move CRLs from crl_store to cert_store, because SSL_CTX can only have one store */`
`799`	`794`	`if (nc_tls_move_crls_to_store(tls_ctx->crl_store, tls_ctx->cert_store)) {`
Original file line number	Diff line number	Diff line change
`@@ -885,7 +885,7 @@ nc_accept_tls_session(struct nc_session session, struct nc_server_tls_opts opt`
`885`	`885`	`srv_cert = srv_pkey = cert_store = crl_store = NULL;`
`886`	`886`
`887`	`887`	`/* setup config from ctx */`
`888`		`- if (nc_tls_setup_config_from_ctx_wrap(&session->ti.tls.ctx, NC_SERVER, tls_cfg)) {`
	`888`	`+ if (nc_tls_setup_config_from_ctx_wrap(&session->ti.tls.ctx, tls_cfg)) {`
`889`	`889`	`goto fail;`
`890`	`890`	`}`
`891`	`891`	`session->ti.tls.config = tls_cfg;`