if we're a server and some peer has a broken tls certificate, don't

shout about it unless we want to hear about protocol violations. svn:r6507
2024-11-24 20:33:31 +01:00 · 2006-05-26 16:32:16 +00:00 · 2006-05-26 16:32:16 +00:00 · 7f611f4732
commit 7f611f4732
parent 82ae38f649
3 changed files with 17 additions and 12 deletions
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@ -648,7 +648,8 @@ tor_tls_peer_has_cert(tor_tls_t *tls)
 * NUL-terminate.  Return 0 on success, -1 on failure.
 */
 int
-tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
+tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls,
+                               char *buf, size_t buflen)
 {
  X509 *cert = NULL;
  X509_NAME *name = NULL;
@ -657,11 +658,11 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
  int r = -1;

  if (!(cert = SSL_get_peer_certificate(tls->ssl))) {
-    log_warn(LD_PROTOCOL, "Peer has no certificate");
+    log_fn(severity, LD_PROTOCOL, "Peer has no certificate");
    goto error;
  }
  if (!(name = X509_get_subject_name(cert))) {
-    log_warn(LD_PROTOCOL, "Peer certificate has no subject name");
+    log_fn(severity, LD_PROTOCOL, "Peer certificate has no subject name");
    goto error;
  }
  if ((nid = OBJ_txt2nid("commonName")) == NID_undef)
@ -671,12 +672,13 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
  if (lenout == -1)
    goto error;
  if (((int)strspn(buf, LEGAL_NICKNAME_CHARACTERS)) < lenout) {
-    log_warn(LD_PROTOCOL,
-             "Peer certificate nickname %s has illegal characters.",
-             escaped(buf));
+    log_fn(severity, LD_PROTOCOL,
+           "Peer certificate nickname %s has illegal characters.",
+           escaped(buf));
    if (strchr(buf, '.'))
-      log_warn(LD_PROTOCOL, "  (Maybe it is not really running Tor at its "
-               "advertised OR port.)");
+      log_fn(severity, LD_PROTOCOL,
+             "  (Maybe it is not really running Tor at its "
+             "advertised OR port.)");
    goto error;
  }

@ -686,7 +688,7 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
  if (cert)
    X509_free(cert);

-  tls_log_errors(LOG_WARN, "getting peer certificate nickname");
+  tls_log_errors(severity, "getting peer certificate nickname");
  return r;
 }

--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@ -32,7 +32,8 @@ tor_tls_t *tor_tls_new(int sock, int is_server, int use_no_cert);
 int tor_tls_is_server(tor_tls_t *tls);
 void tor_tls_free(tor_tls_t *tls);
 int tor_tls_peer_has_cert(tor_tls_t *tls);
-int tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen);
+int tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls,
+                                   char *buf, size_t buflen);
 int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
 int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance);
 int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@ -581,11 +581,13 @@ connection_or_check_valid_handshake(connection_t *conn, char *digest_rcvd)

  check_no_tls_errors();
  if (! tor_tls_peer_has_cert(conn->tls)) {
-    log_info(LD_PROTOCOL,"Peer didn't send a cert! Closing.");
+    log_info(LD_PROTOCOL,"Peer (%s:%d) didn't send a cert! Closing.",
+             conn->address, conn->port);
    return -1;
  }
  check_no_tls_errors();
-  if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, sizeof(nickname))) {
+  if (tor_tls_get_peer_cert_nickname(severity, conn->tls, nickname,
+                                     sizeof(nickname))) {
    log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a "
           "valid nickname. Closing.",
           conn->address, conn->port);