From 39e4122b06b77dc827fd1bfe5a1947ce71c10b0d Mon Sep 17 00:00:00 2001
From: Balazs Scheidler <balazs.scheidler@axoflow.com>
Date: Sun, 2 Jun 2024 17:37:35 +0200
Subject: [PATCH] tls-session: change trusted-keys() validation

trusted-keys() is an alternative trust anchor, e.g. we don't need to
have a valid peer certificate in this case. Even if it is invalid,
trusted-keys() can forcibly accept it.

This was not the case thus far, it was an _additional_ restriction.

Signed-off-by: Balazs Scheidler <balazs.scheidler@axoflow.com>
---
 lib/transport/tls-session.c | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/lib/transport/tls-session.c b/lib/transport/tls-session.c
index 04386166f5..1cb24ee079 100644
--- a/lib/transport/tls-session.c
+++ b/lib/transport/tls-session.c
@@ -123,10 +123,13 @@ tls_session_verify_fingerprint(X509_STORE_CTX *ctx)
   if (!cert)
     return match;
 
+
   hash = g_string_sized_new(EVP_MAX_MD_SIZE * 3);
 
   if (tls_get_x509_digest(cert, hash))
     {
+      msg_debug("Validating certificate against trusted-keys()",
+                evt_tag_str("x509-digest", hash->str));
       do
         {
           if (strcmp((const gchar *)(current_fingerprint->data), hash->str) == 0)
@@ -195,11 +198,30 @@ tls_session_verify(TLSSession *self, int ok, X509_STORE_CTX *ctx)
 
   int ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx);
   /* accept certificate if its fingerprint matches, again regardless whether x509 certificate validation was successful */
-  if (ok && ctx_error_depth == 0 && !tls_session_verify_fingerprint(ctx))
+
+  if (ctx_error_depth == 0 && self->ctx->trusted_fingerprint_list)
     {
-      msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting",
-                 tls_context_format_location_tag(self->ctx));
-      return 0;
+      /* trusted-keys() is present */
+      if (ok)
+        {
+          /* this is an extra constraint */
+          if (!tls_session_verify_fingerprint(ctx))
+            {
+              msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting",
+                         tls_context_format_location_tag(self->ctx));
+              return 0;
+            }
+        }
+      else
+        {
+          /* this is a trust anchor that forces the key to be valid */
+          if (tls_session_verify_fingerprint(ctx))
+            {
+              msg_notice("Certificate accepted due to being present on trusted-keys()",
+                         tls_context_format_location_tag(self->ctx));
+              return 1;
+            }
+        }
     }
 
   X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);