mirror of
				https://github.com/osmarks/ngircd.git
				synced 2025-10-26 03:27:38 +00:00 
			
		
		
		
	S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections
Show proper certificate information for incoming connections, too, and not "peer did not present a certificate", regardless if the client sent a certificate or not. And free the client certificate structure "peer_cert" on incoming connections as well!
This commit is contained in:
		| @@ -935,22 +935,36 @@ ConnSSL_LogCertInfo( CONNECTION * c, bool connect) | |||||||
| 	Log(LOG_INFO, "Connection %d: initialized %s using cipher %s, %s.", | 	Log(LOG_INFO, "Connection %d: initialized %s using cipher %s, %s.", | ||||||
| 	    c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl), comp_alg); | 	    c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl), comp_alg); | ||||||
| 	peer_cert = SSL_get_peer_certificate(ssl); | 	peer_cert = SSL_get_peer_certificate(ssl); | ||||||
| 	if (peer_cert && connect) { | 	if (peer_cert) { | ||||||
| 		cert_seen = true; | 		cert_seen = true; | ||||||
| 		/* Client: Check server certificate */ |  | ||||||
| 		int err = SSL_get_verify_result(ssl); | 		if (connect) { | ||||||
| 		if (err == X509_V_OK) { | 			/* Outgoing connection. Verify the remote server! */ | ||||||
| 			const char *peername = SSL_get0_peername(ssl); | 			int err = SSL_get_verify_result(ssl); | ||||||
| 			if (peername != NULL) | 			if (err == X509_V_OK) { | ||||||
| 				cert_ok = true; | 				const char *peername = SSL_get0_peername(ssl); | ||||||
| 			LogDebug("X509_V_OK, peername = '%s'", peername); | 				if (peername != NULL) | ||||||
| 		} else | 					cert_ok = true; | ||||||
| 			Log(LOG_ERR, "Certificate validation failed: %s", | 				LogDebug("X509_V_OK, peername = '%s'", peername); | ||||||
| 			    X509_verify_cert_error_string(err)); | 			} else | ||||||
| 		snprintf(msg, sizeof(msg), "%svalid peer certificate", | 				Log(LOG_WARNING, "Certificate validation failed: %s!", | ||||||
| 			 cert_ok ? "" : "in"); | 				    X509_verify_cert_error_string(err)); | ||||||
| 		LogOpenSSL_CertInfo(cert_ok ? LOG_DEBUG : LOG_ERR, peer_cert, |  | ||||||
| 				    msg); | 			snprintf(msg, sizeof(msg), "Got %svalid server certificate", | ||||||
|  | 				 cert_ok ? "" : "in"); | ||||||
|  | 			LogOpenSSL_CertInfo(LOG_INFO, peer_cert, msg); | ||||||
|  | 		} else { | ||||||
|  | 			/* Incoming connection. | ||||||
|  | 			 * Accept all certificates, don't depend on their | ||||||
|  | 			 * validity: for example, we don't know the hostname | ||||||
|  | 			 * to check, because we not yet even know if this is a | ||||||
|  | 			 * server connection at all and if so, which one, so we | ||||||
|  | 			 * don't know a host name to look for. On the other | ||||||
|  | 			 * hand we want client certificates, for example for | ||||||
|  | 			 * "CertFP" authentication with services ... */ | ||||||
|  | 			LogOpenSSL_CertInfo(LOG_INFO, peer_cert, | ||||||
|  | 					    "Got unchecked client certificate"); | ||||||
|  | 		} | ||||||
|  |  | ||||||
| 		X509_free(peer_cert); | 		X509_free(peer_cert); | ||||||
| 	} | 	} | ||||||
| @@ -1038,7 +1052,7 @@ done_cn_validation: | |||||||
| 	if (cert_ok) | 	if (cert_ok) | ||||||
| 		Conn_OPTION_ADD(c, CONN_SSL_PEERCERT_OK); | 		Conn_OPTION_ADD(c, CONN_SSL_PEERCERT_OK); | ||||||
| 	if (!cert_seen) | 	if (!cert_seen) | ||||||
| 		Log(LOG_INFO, "Peer did not present a certificate"); | 		Log(LOG_INFO, "Peer did not present a certificate."); | ||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Alexander Barton
					Alexander Barton