tlshd: Match ingress certificates with defined TLS session tags

TLS session tags are defined in /etc/tlshd/tags.d. Each tag one or
more filter expressions that match against fields in the x.509
certificate presented by a client peer.

When a handshake is successful, tlshd parses the peer's certificate
and applies the filters to the fields in the certificate. When the
tag's set of filters all match, the tag's name is added to the tag
list for the session.

A subsequent patch will pass the list to the kernel upon handshake
completion.

Suggested-by: Benjamin Coddington <[email protected]>
Signed-off-by: Chuck Lever <[email protected]>

Author: chucklever

configure.ac

@@ -88,6 +88,12 @@ AC_CHECK_LIB([gnutls], [gnutls_get_system_config_file],
 AC_CHECK_LIB([gnutls], [gnutls_psk_allocate_client_credentials2],
              [AC_DEFINE([HAVE_GNUTLS_PSK_ALLOCATE_CREDENTIALS2], [1],
                         [Define to 1 if you have the gnutls_psk_allocate_client_credentials2 function.])])
+AC_CHECK_LIB([glib-2.0], [g_pattern_spec_match],
+             [AC_DEFINE([HAVE_GLIB_G_PATTERN_SPEC_MATCH], [1],
+                        [Define to 1 if you have the g_pattern_spec_match function.])])
+AC_CHECK_LIB([glib-2.0], [g_pattern_spec_match_string],
+             [AC_DEFINE([HAVE_GLIB_G_PATTERN_SPEC_MATCH_STRING], [1],
+                        [Define to 1 if you have the g_pattern_spec_match_string function.])])
 
 AC_MSG_CHECKING(for ML-DSA support in gnutls)
 AC_COMPILE_IFELSE(

src/tlshd/server.c

@@ -460,6 +460,8 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 		}
 	}
 
+	tlshd_tags_match_session(session);
+
 	gnutls_deinit(session);
 
 out_free_certs: