Skip to content

Revert "tlshd: Do not return remote peer IDs for x.509 handshakes" #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 18, 2025
Merged

Revert "tlshd: Do not return remote peer IDs for x.509 handshakes" #109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion src/tlshd/client.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,8 @@ tlshd_x509_retrieve_key_cb(gnutls_session_t session,
static int tlshd_client_x509_verify_function(gnutls_session_t session,
struct tlshd_handshake_parms *parms)
{
unsigned int status;
const gnutls_datum_t *peercerts;
unsigned int i, status, num_peercerts;
int ret;

ret = gnutls_certificate_verify_peers3(session, parms->peername,
Expand All @@ -251,6 +252,32 @@ static int tlshd_client_x509_verify_function(gnutls_session_t session,
* to get picky. Kernel would have to tell us what to look for
* via a netlink attribute. */

peercerts = gnutls_certificate_get_peers(session, &num_peercerts);
if (!peercerts || num_peercerts == 0) {
tlshd_log_debug("The peer cert list is empty.\n");
return GNUTLS_E_CERTIFICATE_ERROR;
}

tlshd_log_debug("The peer offered %u certificate(s).\n",
num_peercerts);

for (i = 0; i < num_peercerts; i++) {
gnutls_x509_crt_t cert;
key_serial_t peerid;

gnutls_x509_crt_init(&cert);
ret = gnutls_x509_crt_import(cert, &peercerts[i],
GNUTLS_X509_FMT_DER);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
gnutls_x509_crt_deinit(cert);
return GNUTLS_E_CERTIFICATE_ERROR;
}
peerid = tlshd_keyring_create_cert(cert, parms->peername);
g_array_append_val(parms->remote_peerids, peerid);
gnutls_x509_crt_deinit(cert);
}

return GNUTLS_E_SUCCESS;
}

Expand Down
31 changes: 29 additions & 2 deletions src/tlshd/server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,9 +178,10 @@ static int tlshd_server_get_truststore(gnutls_certificate_credentials_t cred)
* verification failed. The server sends an ALERT to the client.
*/
static int tlshd_server_x509_verify_function(gnutls_session_t session,
__attribute__ ((unused)) struct tlshd_handshake_parms *parms)
struct tlshd_handshake_parms *parms)
{
unsigned int status;
const gnutls_datum_t *peercerts;
unsigned int i, status, num_peercerts;
int ret;

ret = gnutls_certificate_verify_peers3(session, NULL, &status);
Expand All @@ -201,6 +202,32 @@ static int tlshd_server_x509_verify_function(gnutls_session_t session,
* to get picky. Kernel would have to tell us what to look for
* via a netlink attribute. */

peercerts = gnutls_certificate_get_peers(session, &num_peercerts);
if (!peercerts || num_peercerts == 0) {
tlshd_log_debug("The peer cert list is empty.");
goto certificate_error;
}

tlshd_log_debug("The peer offered %u certificate(s).",
num_peercerts);

for (i = 0; i < num_peercerts; i++) {
gnutls_x509_crt_t cert;
key_serial_t peerid;

gnutls_x509_crt_init(&cert);
ret = gnutls_x509_crt_import(cert, &peercerts[i],
GNUTLS_X509_FMT_DER);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
gnutls_x509_crt_deinit(cert);
return GNUTLS_E_CERTIFICATE_ERROR;
}
peerid = tlshd_keyring_create_cert(cert, parms->peername);
g_array_append_val(parms->remote_peerids, peerid);
gnutls_x509_crt_deinit(cert);
}

return GNUTLS_E_SUCCESS;

certificate_error:
Expand Down