From 8d993c71a7a9b0d8b98be8f2db6758a6bd218435 Mon Sep 17 00:00:00 2001
From: Marc Huber <Marc.Huber@web.de>
Date: Thu, 30 Jan 2025 14:11:31 +0100
Subject: [PATCH] tac_plus-ng: next step of tls rpk support code

---
 tac_plus-ng/config.c  | 62 ++++++++++++++++++++++++++++++++++++++++++-
 tac_plus-ng/headers.h |  4 +++
 tac_plus-ng/main.c    | 19 ++++++++++++-
 3 files changed, 83 insertions(+), 2 deletions(-)

diff --git a/tac_plus-ng/config.c b/tac_plus-ng/config.c
index b0bf0e6..096d464 100644
--- a/tac_plus-ng/config.c
+++ b/tac_plus-ng/config.c
@@ -291,6 +291,17 @@ void complete_realm(tac_realm *r)
 	    r->alpn_vec_len = rp->alpn_vec_len;
 	RS(tls_accept_expired, TRISTATE_DUNNO);
 	RS(default_host->tls_peer_cert_validation, S_unknown);
+
+	if (!r->default_host->tls_client_cert_type_len) {
+	    r->default_host->tls_client_cert_type[0] = r->parent->default_host->tls_client_cert_type[0];
+	    r->default_host->tls_client_cert_type[1] = r->parent->default_host->tls_client_cert_type[1];
+	    r->default_host->tls_client_cert_type_len = r->default_host->parent->tls_client_cert_type_len;
+	}
+	if (!r->default_host->tls_server_cert_type_len) {
+	    r->default_host->tls_server_cert_type[0] = r->parent->default_host->tls_server_cert_type[0];
+	    r->default_host->tls_server_cert_type[1] = r->parent->default_host->tls_server_cert_type[1];
+	    r->default_host->tls_server_cert_type_len = r->parent->default_host->tls_server_cert_type_len;
+	}
 #endif
 #undef RS
 #define RS(A) if(r->A < 0) r->A = rp->A;
@@ -2102,6 +2113,10 @@ void parse_decls_real(struct sym *sym, tac_realm *r)
 	case S_host:
 	case S_device:
 	case S_tls_peer_cert_validation:
+#if OPENSSL_VERSION_NUMBER >= 0x30200000
+	case S_tls_client_cert_type:
+	case S_tls_server_cert_type:
+#endif
 	    parse_host_attr(sym, r, r->default_host);
 	    continue;
 	case S_haproxy:
@@ -3629,6 +3644,10 @@ static void parse_host_attr(struct sym *sym, tac_realm *r, tac_host *host)
 	case S_tls_peer_cert_sha256:
 	case S_tls_peer_cert_validation:
 	case S_tls_peer_cert_rpk:
+#if OPENSSL_VERSION_NUMBER >= 0x30200000
+	case S_tls_client_cert_type:
+	case S_tls_server_cert_type:
+#endif
 #endif
 	    break;
 	default:
@@ -3643,7 +3662,7 @@ static void parse_host_attr(struct sym *sym, tac_realm *r, tac_host *host)
 			       S_tls,
 #endif
 #if defined(WITH_SSL)
-			       S_tls_peer_cert_sha1, S_tls_peer_cert_sha256, S_tls_peer_cert_rpk,
+			       S_tls_peer_cert_sha1, S_tls_peer_cert_sha256, S_tls_peer_cert_rpk, S_tls_client_cert_type, S_tls_server_cert_type,
 #endif
 			       S_unknown);
 	}
@@ -4109,6 +4128,44 @@ static void parse_host_attr(struct sym *sym, tac_realm *r, tac_host *host)
 	    sym_get(sym);
 	    break;
 	}
+#if OPENSSL_VERSION_NUMBER >= 0x30200000
+    case S_tls_client_cert_type:
+	sym_get(sym);
+	parse(sym, S_equal);
+	do {
+	    u_char cert_type = 0;
+	    if (sym->code == S_x509)
+		cert_type = TLSEXT_cert_type_x509;
+	    else if (sym->code == S_rpk)
+		cert_type = TLSEXT_cert_type_rpk;
+	    else
+		parse_error_expect(sym, S_x509, S_rpk, S_unknown);
+	    sym_get(sym);
+	    host->tls_client_cert_type[1] = host->tls_client_cert_type[0];
+	    host->tls_client_cert_type[0] = cert_type;
+	    if (host->tls_client_cert_type_len < 2)
+		host->tls_client_cert_type_len++;
+	} while (parse_comma(sym));
+	break;
+    case S_tls_server_cert_type:
+	sym_get(sym);
+	parse(sym, S_equal);
+	do {
+	    u_char cert_type = 0;
+	    if (sym->code == S_x509)
+		cert_type = TLSEXT_cert_type_x509;
+	    else if (sym->code == S_rpk)
+		cert_type = TLSEXT_cert_type_rpk;
+	    else
+		parse_error_expect(sym, S_x509, S_rpk, S_unknown);
+	    sym_get(sym);
+	    host->tls_server_cert_type[1] = host->tls_server_cert_type[0];
+	    host->tls_server_cert_type[0] = cert_type;
+	    if (host->tls_server_cert_type_len < 2)
+		host->tls_server_cert_type_len++;
+	} while (parse_comma(sym));
+	break;
+#endif
 #endif
     default:
 	parse_error_expect(sym, S_host, S_device, S_parent, S_authentication, S_permit,
@@ -4117,6 +4174,9 @@ static void parse_host_attr(struct sym *sym, tac_realm *r, tac_host *host)
 			   S_singleconnection, S_debug, S_connection, S_context, S_script, S_target_realm,
 #if defined(WITH_SSL) && !defined(OPENSSL_NO_PSK)
 			   S_tls,
+#if OPENSSL_VERSION_NUMBER >= 0x30200000
+			   S_tls_client_cert_type, S_tls_server_cert_type,
+#endif
 #endif
 #if defined(WITH_SSL)
 			   S_tls_peer_cert_sha1, S_tls_peer_cert_sha256,
diff --git a/tac_plus-ng/headers.h b/tac_plus-ng/headers.h
index 4588409..7332e86 100644
--- a/tac_plus-ng/headers.h
+++ b/tac_plus-ng/headers.h
@@ -243,6 +243,10 @@ struct tac_host {
     size_t tls_psk_key_len;
     struct fingerprint *fingerprint;	// set via MAVIS
     enum token tls_peer_cert_validation;
+    u_char tls_client_cert_type[2];
+    u_char tls_server_cert_type[2];
+    size_t tls_client_cert_type_len;
+    size_t tls_server_cert_type_len;
 #endif
 };
 
diff --git a/tac_plus-ng/main.c b/tac_plus-ng/main.c
index 1610f48..be67f4d 100644
--- a/tac_plus-ng/main.c
+++ b/tac_plus-ng/main.c
@@ -990,6 +990,16 @@ void complete_host(tac_host *h)
 	}
 #endif
 	HS(tls_peer_cert_validation, S_unknown);
+	if (!h->tls_client_cert_type_len) {
+	    h->tls_client_cert_type[0] = h->parent->tls_client_cert_type[0];
+	    h->tls_client_cert_type[1] = h->parent->tls_client_cert_type[1];
+	    h->tls_client_cert_type_len = h->parent->tls_client_cert_type_len;
+	}
+	if (!h->tls_server_cert_type_len) {
+	    h->tls_server_cert_type[0] = h->parent->tls_server_cert_type[0];
+	    h->tls_server_cert_type[1] = h->parent->tls_server_cert_type[1];
+	    h->tls_server_cert_type_len = h->parent->tls_server_cert_type_len;
+	}
 #endif
 
 #undef HS
@@ -1298,7 +1308,7 @@ static void accept_control_common(int s, struct scm_data_accept_ext *sd_ext, soc
 
 static int query_mavis_host(struct context *ctx, void (*f)(struct context *))
 {
-    if(!ctx->host || ctx->host->try_mavis != TRISTATE_YES)
+    if (!ctx->host || ctx->host->try_mavis != TRISTATE_YES)
 	return 0;
     if (!ctx->mavis_tried) {
 	ctx->mavis_tried = 1;
@@ -1438,6 +1448,13 @@ static void accept_control_check_tls(struct context *ctx, int cur __attribute__(
 	    SSL_set_fd(ctx->tls, ctx->sock);
 	    SSL_set_session_id_context(ctx->tls, (const unsigned char *) &ctx, sizeof(ctx));
 
+#if OPENSSL_VERSION_NUMBER >= 0x30200000
+	    if (ctx->host->tls_client_cert_type_len)
+		SSL_set1_client_cert_type(ctx->tls, ctx->host->tls_client_cert_type, ctx->host->tls_client_cert_type_len);
+	    if (ctx->host->tls_server_cert_type_len)
+		SSL_set1_server_cert_type(ctx->tls, ctx->host->tls_server_cert_type, ctx->host->tls_server_cert_type_len);
+#endif
+
 	    if (ctx->udp) {
 		//ctx->rbio = BIO_new(BIO_s_dgram_mem());
 		ctx->rbio = BIO_new(BIO_s_mem());