session server tls UPDATE username from CA certs

Before this commit cert-to-name tried to obtain the client's username solely from the client's certificate. With this commit the CA certs used to verify the client cert are also used.
CESNET · Jul 4, 2024 · 7251b0d · 7251b0d
1 parent fd20a50
commit 7251b0d
Show file tree

Hide file tree

Showing 4 changed files with 311 additions and 188 deletions.
diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c
@@ -464,6 +464,38 @@ nc_tls_cert_dup(const mbedtls_x509_crt *cert)
     return new_cert;
 }
 
+/**
+ * @brief Duplicate a certificate and append it to a chain.
+ *
+ * @param[in] cert Certificate to duplicate and append.
+ * @param[in,out] chain Chain to append the certificate to.
+ * @return 0 on success, -1 on error.
+ */
+static int
+nc_server_tls_append_cert_to_chain(mbedtls_x509_crt *cert, mbedtls_x509_crt **chain)
+{
+    mbedtls_x509_crt *iter, *copy;
+
+    copy = nc_tls_cert_dup(cert);
+    if (!copy) {
+        return -1;
+    }
+
+    if (!*chain) {
+        /* first in the list */
+        *chain = copy;
+    } else {
+        /* find the last cert */
+        iter = *chain;
+        while (iter->next) {
+            iter = iter->next;
+        }
+        iter->next = copy;
+    }
+
+    return 0;
+}
+
 /**
  * @brief Verify a certificate.
  *
@@ -480,6 +512,13 @@ nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32
     struct nc_tls_verify_cb_data *data = cb_data;
     char *err;
 
+    /* append to the chain we're building */
+    ret = nc_server_tls_append_cert_to_chain(cert, (mbedtls_x509_crt **)&data->chain);
+    if (ret) {
+        nc_tls_cert_destroy_wrap(data->chain);
+        return MBEDTLS_ERR_X509_ALLOC_FAILED;
+    }
+
     if (!*flags) {
         /* in-built verification was successful */
         ret = nc_server_tls_verify_cert(cert, depth, 1, data);
@@ -509,6 +548,11 @@ nc_server_tls_verify_cb(void *cb_data, mbedtls_x509_crt *cert, int depth, uint32
         }
     }
 
+    if ((ret == -1) || (depth == 0)) {
+        /* free the chain */
+        nc_tls_cert_destroy_wrap(data->chain);
+    }
+
     if (ret == -1) {
         /* fatal error */
         return MBEDTLS_ERR_X509_ALLOC_FAILED;
@@ -653,6 +697,36 @@ nc_tls_get_san_value_type_wrap(void *sans, int idx, char **san_value, NC_TLS_CTN
     return ret;
 }
 
+int
+nc_tls_get_num_certs_wrap(void *chain)
+{
+    mbedtls_x509_crt *iter;
+    int n = 0;
+
+    /* chain is a linked list */
+    iter = chain;
+    while (iter) {
+        ++n;
+        iter = iter->next;
+    }
+
+    return n;
+}
+
+void
+nc_tls_get_cert_wrap(void *chain, int idx, void **cert)
+{
+    int i;
+    mbedtls_x509_crt *iter;
+
+    iter = chain;
+    for (i = 0; i < idx; i++) {
+        iter = iter->next;
+    }
+
+    *cert = iter;
+}
+
 int
 nc_server_tls_certs_match_wrap(void *cert1, void *cert2)
 {

diff --git a/src/session_openssl.c b/src/session_openssl.c
@@ -309,6 +309,19 @@ nc_server_tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
         return 0;
     }
     data = SSL_CTX_get_ex_data(ctx, 0);
+    if (!data) {
+        ERRINT;
+        return 0;
+    }
+
+    /* get the cert chain once */
+    if (!data->chain) {
+        data->chain = X509_STORE_CTX_get0_chain(x509_ctx);
+        if (!data->chain) {
+            ERRINT;
+            return 0;
+        }
+    }
 
     /* get current cert and its depth */
     cert = X509_STORE_CTX_get_current_cert(x509_ctx);
@@ -473,6 +486,18 @@ nc_tls_get_san_value_type_wrap(void *sans, int idx, char **san_value, NC_TLS_CTN
     return ret;
 }
 
+int
+nc_tls_get_num_certs_wrap(void *chain)
+{
+    return sk_X509_num(chain);
+}
+
+void
+nc_tls_get_cert_wrap(void *chain, int idx, void **cert)
+{
+    *cert = sk_X509_value(chain, idx);
+}
+
 int
 nc_server_tls_certs_match_wrap(void *cert1, void *cert2)
 {