mirrors/ngircd
1
0
Fork 0
mirror of https://github.com/osmarks/ngircd.git synced 2024-10-27 20:36:18 +00:00
Code Issues Releases Wiki Activity

S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections

Browse Source 
Show proper certificate information for incoming connections, too, and
not "peer did not present a certificate", regardless if the client sent
a certificate or not.

And free the client certificate structure "peer_cert" on incoming
connections as well!
This commit is contained in:
Alexander Barton 2024-01-02 21:10:17 +01:00
parent 08647ab1e7
commit 679505aab9
1 changed files with 30 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/ngircd/conn-ssl.c
View File

@ -935,22 +935,36 @@ ConnSSL_LogCertInfo( CONNECTION * c, bool connect)
Log(LOG_INFO, "Connection %d: initialized %s using cipher %s, %s.", Log(LOG_INFO, "Connection %d: initialized %s using cipher %s, %s.",
c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl), comp_alg); c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl), comp_alg);
peer_cert = SSL_get_peer_certificate(ssl); peer_cert = SSL_get_peer_certificate(ssl);
if (peer_cert && connect) { if (peer_cert) {
cert_seen = true; cert_seen = true;
/* Client: Check server certificate */
int err = SSL_get_verify_result(ssl); if (connect) {
if (err == X509_V_OK) { /* Outgoing connection. Verify the remote server! */
const char *peername = SSL_get0_peername(ssl); int err = SSL_get_verify_result(ssl);
if (peername != NULL) if (err == X509_V_OK) {
cert_ok = true; const char *peername = SSL_get0_peername(ssl);
LogDebug("X509_V_OK, peername = '%s'", peername); if (peername != NULL)
} else cert_ok = true;
Log(LOG_ERR, "Certificate validation failed: %s", LogDebug("X509_V_OK, peername = '%s'", peername);
X509_verify_cert_error_string(err)); } else
snprintf(msg, sizeof(msg), "%svalid peer certificate", Log(LOG_WARNING, "Certificate validation failed: %s!",
cert_ok ? "" : "in"); X509_verify_cert_error_string(err));
LogOpenSSL_CertInfo(cert_ok ? LOG_DEBUG : LOG_ERR, peer_cert,
msg); snprintf(msg, sizeof(msg), "Got %svalid server certificate",
cert_ok ? "" : "in");
LogOpenSSL_CertInfo(LOG_INFO, peer_cert, msg);
} else {
/* Incoming connection.
* Accept all certificates, don't depend on their
* validity: for example, we don't know the hostname
* to check, because we not yet even know if this is a
* server connection at all and if so, which one, so we
* don't know a host name to look for. On the other
* hand we want client certificates, for example for
* "CertFP" authentication with services ... */
LogOpenSSL_CertInfo(LOG_INFO, peer_cert,
"Got unchecked client certificate");
}
X509_free(peer_cert); X509_free(peer_cert);
} }
@ -1038,7 +1052,7 @@ done_cn_validation:
if (cert_ok) if (cert_ok)
Conn_OPTION_ADD(c, CONN_SSL_PEERCERT_OK); Conn_OPTION_ADD(c, CONN_SSL_PEERCERT_OK);
if (!cert_seen) if (!cert_seen)
Log(LOG_INFO, "Peer did not present a certificate"); Log(LOG_INFO, "Peer did not present a certificate.");
} }