ngIRCd Release 27

[ngircd-alex.git] / src / ngircd / conn-ssl.c

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index 22b5d07ec3683aca4170901851382375922ffe10..abcf53c2f7dc811b8a6b5200505109e883fa75ed 100644 (file)
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -45,6 +45,8 @@ extern struct SSLOptions Conf_SSLOptions;
 #include <openssl/dh.h>
 #include <openssl/x509v3.h>
 
+#define MAX_CERT_CHAIN_LENGTH  10      /* XXX: do not hardcode */
+
 static SSL_CTX * ssl_ctx;
 static DH *dh_params;
 
@@ -52,8 +54,6 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c ));
 static bool ConnSSL_SetVerifyProperties_openssl PARAMS((SSL_CTX * c));
 #endif
 
-#define MAX_CERT_CHAIN_LENGTH  10      /* XXX: do not hardcode */
-
 #ifdef HAVE_LIBGNUTLS
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -155,13 +155,13 @@ LogOpenSSL_CertInfo(int level, X509 * cert, const char *msg)
        mem = BIO_new(BIO_s_mem());
        if (!mem)
                return;
-       X509_NAME_print_ex(mem, X509_get_subject_name(cert), 4,
+       X509_NAME_print_ex(mem, X509_get_subject_name(cert), 0,
                           XN_FLAG_ONELINE);
-       X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 4, XN_FLAG_ONELINE);
+       X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_ONELINE);
        if (BIO_write(mem, "", 1) == 1) {
                len = BIO_get_mem_data(mem, &memptr);
                if (memptr && len > 0)
-                       Log(level, "%s: \"%s\"", msg, memptr);
+                       Log(level, "%s: \"%s\".", msg, memptr);
        }
        (void)BIO_set_close(mem, BIO_CLOSE);
        BIO_free(mem);
@@ -468,6 +468,9 @@ ConnSSL_SetVerifyProperties_gnutls(void)
        if (!Conf_SSLOptions.CAFile)
                return true;
 
+       x509_cred_slot *slot = array_get(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
+       gnutls_certificate_credentials_t x509_cred = slot->x509_cred;
+
        err = gnutls_certificate_set_x509_trust_file(x509_cred,
                                                     Conf_SSLOptions.CAFile,
                                                     GNUTLS_X509_FMT_PEM);
@@ -515,6 +518,7 @@ ConnSSL_LoadServerKey_gnutls(void)
                return false;
 
        gnutls_certificate_set_dh_params(x509_cred, dh_params);
+       gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_VERIFY_CRLS);
 
        cert_file = Conf_SSLOptions.CertFile ?
                        Conf_SSLOptions.CertFile : Conf_SSLOptions.KeyFile;
@@ -565,7 +569,7 @@ ConnSSL_LoadServerKey_gnutls(void)
                        return false;
                }
        }
-       Log(LOG_INFO, "Storing new X509 certificate credentials in slot %zd.", x509_cred_idx);
+       LogDebug("Storing new X509 certificate credentials in slot %zd.", x509_cred_idx);
        slot->x509_cred = x509_cred;
        slot->refcnt = 0;
 
@@ -744,6 +748,7 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
 #ifdef HAVE_LIBGNUTLS
        int err;
 
+       (void)s;
        err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_CLIENT);
        if (err) {
                Log(LOG_ERR, "Failed to initialize new SSL session: %s",
@@ -832,9 +837,12 @@ ConnSSL_HandleError(CONNECTION * c, const int code, const char *fname)
                                    "SSL error, client disconnected [in %s()]!",
                                    fname);
                                break;
-                       case -1:        /* low level socket I/O error, check errno */
-                               Log(LOG_ERR, "SSL error: %s [in %s()]!",
-                                   strerror(real_errno), fname);
+                       case -1:
+                               /* Low level socket I/O error, check errno. But
+                                * we don't need to log this here, the generic
+                                * connection layer will take care of it. */
+                               LogDebug("SSL error: %s [in %s()]!",
+                                        strerror(real_errno), fname);
                        }
                }
                break;
@@ -862,8 +870,10 @@ ConnSSL_HandleError(CONNECTION * c, const int code, const char *fname)
        default:
                assert(code < 0);
                if (gnutls_error_is_fatal(code)) {
-                       Log(LOG_ERR, "SSL error: %s [%s].",
-                           gnutls_strerror(code), fname);
+                       /* We don't need to log this here, the generic
+                        * connection layer will take care of it. */
+                       LogDebug("SSL error: %s [%s].",
+                                gnutls_strerror(code), fname);
                        ConnSSL_Free(c);
                        return -1;
                }
@@ -907,12 +917,12 @@ LogGnuTLS_CertInfo(int level, gnutls_x509_crt_t cert, const char *msg)
        assert(size);
        issuer_dn = LogMalloc(size);
        if (!issuer_dn) {
-               Log(level, "%s: Distinguished Name: %s", msg, dn);
+               Log(level, "%s: Distinguished Name \"%s\".", msg, dn);
                free(dn);
                return;
        }
        gnutls_x509_crt_get_issuer_dn(cert, issuer_dn, &size);
-       Log(level, "%s: Distinguished Name: \"%s\", Issuer \"%s\"", msg, dn,
+       Log(level, "%s: Distinguished Name \"%s\", Issuer \"%s\".", msg, dn,
            issuer_dn);
        free(dn);
        free(issuer_dn);
@@ -972,7 +982,7 @@ ConnSSL_LogCertInfo( CONNECTION * c, bool connect)
                         * hand we want client certificates, for example for
                         * "CertFP" authentication with services ... */
                        LogOpenSSL_CertInfo(LOG_INFO, peer_cert,
-                                           "Got unchecked client certificate");
+                                           "Got unchecked peer certificate");
                }
 
                X509_free(peer_cert);
@@ -990,38 +1000,16 @@ ConnSSL_LogCertInfo( CONNECTION * c, bool connect)
            gnutls_cipher_get_name(cipher),
            gnutls_mac_get_name(gnutls_mac_get(sess)));
        cred = gnutls_auth_get_type(c->ssl_state.gnutls_session);
-       if (cred == GNUTLS_CRD_CERTIFICATE && connect) {
-               cert_seen = true;
-               int verify =
-                   gnutls_certificate_verify_peers2(c->
-                                                    ssl_state.gnutls_session,
-                                                    &status);
-               if (verify < 0) {
-                       Log(LOG_ERR,
-                           "gnutls_certificate_verify_peers2 failed: %s",
-                           gnutls_strerror(verify));
-                       goto done_cn_validation;
-               } else if (status) {
-                       gnutls_datum_t out;
-
-                       if (gnutls_certificate_verification_status_print
-                           (status, gnutls_certificate_type_get(sess), &out,
-                            0) == GNUTLS_E_SUCCESS) {
-                               Log(LOG_ERR,
-                                   "Certificate validation failed: %s",
-                                   out.data);
-                               gnutls_free(out.data);
-                       }
-               }
-
+       if (cred == GNUTLS_CRD_CERTIFICATE) {
                gnutls_x509_crt_t cert;
                unsigned cert_list_size;
                const gnutls_datum_t *cert_list =
                    gnutls_certificate_get_peers(sess, &cert_list_size);
-               if (!cert_list || cert_list_size == 0) {
-                       Log(LOG_ERR, "No certificates found");
+
+               if (!cert_list || cert_list_size == 0)
                        goto done_cn_validation;
-               }
+
+               cert_seen = true;
                int err = gnutls_x509_crt_init(&cert);
                if (err < 0) {
                        Log(LOG_ERR,
@@ -1036,17 +1024,46 @@ ConnSSL_LogCertInfo( CONNECTION * c, bool connect)
                            gnutls_strerror(err));
                        goto done_cn_validation;
                }
-               err = gnutls_x509_crt_check_hostname(cert, c->host);
-               if (err == 0)
-                       Log(LOG_ERR,
-                           "Failed to verify the hostname, expected \"%s\"",
-                           c->host);
-               else
-                       cert_ok = verify == 0 && status == 0;
-
-               snprintf(msg, sizeof(msg), "%svalid peer certificate",
-                       cert_ok ? "" : "in");
-               LogGnuTLS_CertInfo(cert_ok ? LOG_DEBUG : LOG_ERR, cert, msg);
+
+               if (connect) {
+                       int verify =
+                           gnutls_certificate_verify_peers2(c->
+                                                            ssl_state.gnutls_session,
+                                                            &status);
+                       if (verify < 0) {
+                               Log(LOG_ERR,
+                                   "gnutls_certificate_verify_peers2 failed: %s",
+                                   gnutls_strerror(verify));
+                               goto done_cn_validation;
+                       } else if (status) {
+                               gnutls_datum_t out;
+
+                               if (gnutls_certificate_verification_status_print
+                                   (status, gnutls_certificate_type_get(sess), &out,
+                                    0) == GNUTLS_E_SUCCESS) {
+                                       Log(LOG_ERR,
+                                           "Certificate validation failed: %s",
+                                           out.data);
+                                       gnutls_free(out.data);
+                               }
+                       }
+
+                       err = gnutls_x509_crt_check_hostname(cert, c->host);
+                       if (err == 0)
+                               Log(LOG_ERR,
+                                   "Failed to verify the hostname, expected \"%s\"",
+                                   c->host);
+                       else
+                               cert_ok = verify == 0 && status == 0;
+
+                       snprintf(msg, sizeof(msg), "Got %svalid server certificate",
+                               cert_ok ? "" : "in");
+                       LogGnuTLS_CertInfo(LOG_INFO, cert, msg);
+               } else {
+                       /* Incoming connection. Please see comments for OpenSSL! */
+                       LogGnuTLS_CertInfo(LOG_INFO, cert,
+                                           "Got unchecked peer certificate");
+               }
 
                gnutls_x509_crt_deinit(cert);
 done_cn_validation: