server config BUGFIX handle delete on client-auth

roman · michalvasko · commit f1d2a5407336 · 2024-08-23T10:50:56.000+02:00
diff --git a/src/server_config.c b/src/server_config.c
@@ -763,11 +763,16 @@ nc_server_config_del_certs(struct nc_cert_grouping *certs_grp)
             free(certs_grp->certs[i].name);
             free(certs_grp->certs[i].data);
         }
+        certs_grp->cert_count = 0;
         free(certs_grp->certs);
         certs_grp->certs = NULL;
     } else if (certs_grp->store == NC_STORE_TRUSTSTORE) {
         free(certs_grp->ts_ref);
+        certs_grp->ts_ref = NULL;
     }
+
+    /* reset to the default */
+    certs_grp->store = NC_STORE_LOCAL;
 }
 
 static void
@@ -2965,6 +2970,115 @@ nc_server_config_asymmetric_key(const struct lyd_node *node, NC_OPERATION op)
     return ret;
 }
 
+static int
+nc_server_config_client_authentication(const struct lyd_node *node, NC_OPERATION op)
+{
+    int ret = 0;
+    struct nc_server_tls_opts *opts;
+    struct nc_ch_client *ch_client = NULL;
+
+    assert(!strcmp(LYD_NAME(node), "client-authentication"));
+
+    /* only do something on delete and if we're in the TLS subtree,
+     * because this is a presence container unlike its SSH counterpart */
+    if (!is_tls(node) || (op != NC_OP_DELETE)) {
+        return 0;
+    }
+
+    /* LOCK */
+    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
+        /* to avoid unlock on fail */
+        return 1;
+    }
+
+    if (nc_server_config_get_tls_opts(node, ch_client, &opts)) {
+        ret = 1;
+        goto cleanup;
+    }
+
+    nc_server_config_del_certs(&opts->ca_certs);
+    nc_server_config_del_certs(&opts->ee_certs);
+
+cleanup:
+    if (is_ch(node)) {
+        /* UNLOCK */
+        nc_ch_client_unlock(ch_client);
+    }
+    return ret;
+}
+
+static int
+nc_server_config_ca_certs(const struct lyd_node *node, NC_OPERATION op)
+{
+    int ret = 0;
+    struct nc_server_tls_opts *opts;
+    struct nc_ch_client *ch_client = NULL;
+
+    assert(!strcmp(LYD_NAME(node), "ca-certs"));
+
+    /* only do something on delete and if we're in the TLS subtree,
+     * because SSH certs are not yet supported */
+    if (!is_tls(node) || (op != NC_OP_DELETE)) {
+        return 0;
+    }
+
+    /* LOCK */
+    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
+        /* to avoid unlock on fail */
+        return 1;
+    }
+
+    if (nc_server_config_get_tls_opts(node, ch_client, &opts)) {
+        ret = 1;
+        goto cleanup;
+    }
+
+    nc_server_config_del_certs(&opts->ca_certs);
+
+cleanup:
+    if (is_ch(node)) {
+        /* UNLOCK */
+        nc_ch_client_unlock(ch_client);
+    }
+    return ret;
+}
+
+static int
+nc_server_config_ee_certs(const struct lyd_node *node, NC_OPERATION op)
+{
+    int ret = 0;
+    struct nc_server_tls_opts *opts;
+    struct nc_ch_client *ch_client = NULL;
+
+    assert(!strcmp(LYD_NAME(node), "ee-certs"));
+
+    /* only do something on delete and if we're in the TLS subtree,
+     * because SSH certs are not yet supported */
+    if (!is_tls(node) || (op != NC_OP_DELETE)) {
+        return 0;
+    }
+
+    /* LOCK */
+    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
+        /* to avoid unlock on fail */
+        return 1;
+    }
+
+    if (nc_server_config_get_tls_opts(node, ch_client, &opts)) {
+        ret = 1;
+        goto cleanup;
+    }
+
+    nc_server_config_del_certs(&opts->ee_certs);
+
+cleanup:
+    if (is_ch(node)) {
+        /* UNLOCK */
+        nc_ch_client_unlock(ch_client);
+    }
+    return ret;
+}
+
 static int
 nc_server_config_create_ca_certs_certificate(const struct lyd_node *node, struct nc_server_tls_opts *opts)
 {
@@ -3795,6 +3909,12 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, NC_OPERATION
         ret = nc_server_config_cert_data(node, op);
     } else if (!strcmp(name, "asymmetric-key")) {
         ret = nc_server_config_asymmetric_key(node, op);
+    } else if (!strcmp(name, "client-authentication")) {
+        ret = nc_server_config_client_authentication(node, op);
+    } else if (!strcmp(name, "ca-certs")) {
+        ret = nc_server_config_ca_certs(node, op);
+    } else if (!strcmp(name, "ee-certs")) {
+        ret = nc_server_config_ee_certs(node, op);
     } else if (!strcmp(name, "certificate")) {
         ret = nc_server_config_certificate(node, op);
     } else if (!strcmp(name, "cert-to-name")) {
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
@@ -766,6 +766,30 @@ nc_server_tls_accept_check(int accept_ret, void *tls_session)
     return accept_ret;
 }
 
+/**
+ * @brief Get the number of certificates in a certificate grouping.
+ *
+ * @param[in] certs_grp Certificate grouping to get the number of certificates from.
+ * @return Number of certificates in the grouping, or -1 on error.
+ */
+static uint16_t
+nc_server_tls_get_num_certs(struct nc_cert_grouping *certs_grp)
+{
+    uint16_t count = 0;
+    struct nc_certificate *certs;
+
+    if (certs_grp->store == NC_STORE_LOCAL) {
+        count = certs_grp->cert_count;
+    } else if (certs_grp->store == NC_STORE_TRUSTSTORE) {
+        if (nc_server_tls_truststore_ref_get_certs(certs_grp->ts_ref, &certs, &count)) {
+            ERR(NULL, "Getting CA certificates from the truststore reference \"%s\" failed.", certs_grp->ts_ref);
+            return -1;
+        }
+    }
+
+    return count;
+}
+
 int
 nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opts, int sock, int timeout)
 {
@@ -774,6 +798,7 @@ nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opt
     struct nc_tls_verify_cb_data cb_data = {0};
     struct nc_endpt *referenced_endpt;
     void *tls_cfg, *srv_cert, *srv_pkey, *cert_store, *crl_store;
+    uint32_t cert_count = 0;
 
     tls_cfg = srv_cert = srv_pkey = cert_store = crl_store = NULL;
 
@@ -818,6 +843,20 @@ nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opt
         }
     }
 
+    /* Check if there are no CA/end entity certs configured, which is a valid config.
+     * However, that would imply not using TLS for auth, which is not (yet) supported */
+    if (!opts->referenced_endpt_name) {
+        cert_count = nc_server_tls_get_num_certs(&opts->ca_certs) + nc_server_tls_get_num_certs(&opts->ee_certs);
+    } else {
+        cert_count = nc_server_tls_get_num_certs(&opts->ca_certs) + nc_server_tls_get_num_certs(&opts->ee_certs) +
+                nc_server_tls_get_num_certs(&referenced_endpt->opts.tls->ca_certs) +
+                nc_server_tls_get_num_certs(&referenced_endpt->opts.tls->ee_certs);
+    }
+    if (cert_count <= 0) {
+        ERR(session, "Neither CA nor end-entity certificates configured.");
+        goto fail;
+    }
+
     if (nc_session_tls_crl_from_cert_ext_fetch(srv_cert, cert_store, &crl_store)) {
         ERR(session, "Loading server CRL failed.");
         goto fail;
