mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 20:33:31 +01:00
if we're a server and some peer has a broken tls certificate, don't
shout about it unless we want to hear about protocol violations. svn:r6507
This commit is contained in:
parent
82ae38f649
commit
7f611f4732
@ -648,7 +648,8 @@ tor_tls_peer_has_cert(tor_tls_t *tls)
|
|||||||
* NUL-terminate. Return 0 on success, -1 on failure.
|
* NUL-terminate. Return 0 on success, -1 on failure.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
|
tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls,
|
||||||
|
char *buf, size_t buflen)
|
||||||
{
|
{
|
||||||
X509 *cert = NULL;
|
X509 *cert = NULL;
|
||||||
X509_NAME *name = NULL;
|
X509_NAME *name = NULL;
|
||||||
@ -657,11 +658,11 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
|
|||||||
int r = -1;
|
int r = -1;
|
||||||
|
|
||||||
if (!(cert = SSL_get_peer_certificate(tls->ssl))) {
|
if (!(cert = SSL_get_peer_certificate(tls->ssl))) {
|
||||||
log_warn(LD_PROTOCOL, "Peer has no certificate");
|
log_fn(severity, LD_PROTOCOL, "Peer has no certificate");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (!(name = X509_get_subject_name(cert))) {
|
if (!(name = X509_get_subject_name(cert))) {
|
||||||
log_warn(LD_PROTOCOL, "Peer certificate has no subject name");
|
log_fn(severity, LD_PROTOCOL, "Peer certificate has no subject name");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if ((nid = OBJ_txt2nid("commonName")) == NID_undef)
|
if ((nid = OBJ_txt2nid("commonName")) == NID_undef)
|
||||||
@ -671,11 +672,12 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
|
|||||||
if (lenout == -1)
|
if (lenout == -1)
|
||||||
goto error;
|
goto error;
|
||||||
if (((int)strspn(buf, LEGAL_NICKNAME_CHARACTERS)) < lenout) {
|
if (((int)strspn(buf, LEGAL_NICKNAME_CHARACTERS)) < lenout) {
|
||||||
log_warn(LD_PROTOCOL,
|
log_fn(severity, LD_PROTOCOL,
|
||||||
"Peer certificate nickname %s has illegal characters.",
|
"Peer certificate nickname %s has illegal characters.",
|
||||||
escaped(buf));
|
escaped(buf));
|
||||||
if (strchr(buf, '.'))
|
if (strchr(buf, '.'))
|
||||||
log_warn(LD_PROTOCOL, " (Maybe it is not really running Tor at its "
|
log_fn(severity, LD_PROTOCOL,
|
||||||
|
" (Maybe it is not really running Tor at its "
|
||||||
"advertised OR port.)");
|
"advertised OR port.)");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@ -686,7 +688,7 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
|
|||||||
if (cert)
|
if (cert)
|
||||||
X509_free(cert);
|
X509_free(cert);
|
||||||
|
|
||||||
tls_log_errors(LOG_WARN, "getting peer certificate nickname");
|
tls_log_errors(severity, "getting peer certificate nickname");
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -32,7 +32,8 @@ tor_tls_t *tor_tls_new(int sock, int is_server, int use_no_cert);
|
|||||||
int tor_tls_is_server(tor_tls_t *tls);
|
int tor_tls_is_server(tor_tls_t *tls);
|
||||||
void tor_tls_free(tor_tls_t *tls);
|
void tor_tls_free(tor_tls_t *tls);
|
||||||
int tor_tls_peer_has_cert(tor_tls_t *tls);
|
int tor_tls_peer_has_cert(tor_tls_t *tls);
|
||||||
int tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen);
|
int tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls,
|
||||||
|
char *buf, size_t buflen);
|
||||||
int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
|
int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
|
||||||
int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance);
|
int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance);
|
||||||
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
|
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
|
||||||
|
@ -581,11 +581,13 @@ connection_or_check_valid_handshake(connection_t *conn, char *digest_rcvd)
|
|||||||
|
|
||||||
check_no_tls_errors();
|
check_no_tls_errors();
|
||||||
if (! tor_tls_peer_has_cert(conn->tls)) {
|
if (! tor_tls_peer_has_cert(conn->tls)) {
|
||||||
log_info(LD_PROTOCOL,"Peer didn't send a cert! Closing.");
|
log_info(LD_PROTOCOL,"Peer (%s:%d) didn't send a cert! Closing.",
|
||||||
|
conn->address, conn->port);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
check_no_tls_errors();
|
check_no_tls_errors();
|
||||||
if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, sizeof(nickname))) {
|
if (tor_tls_get_peer_cert_nickname(severity, conn->tls, nickname,
|
||||||
|
sizeof(nickname))) {
|
||||||
log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a "
|
log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a "
|
||||||
"valid nickname. Closing.",
|
"valid nickname. Closing.",
|
||||||
conn->address, conn->port);
|
conn->address, conn->port);
|
||||||
|
Loading…
Reference in New Issue
Block a user