Rework TLS pretty address handling

cgzones · cgzones · commit 85b79c494604 · 2024-10-29T23:49:00.000+01:00
Avoid accidental TLS verification passed in
ssl_verify_certificate_validity() due to a sockaddr_pretty() failure.
Store the prettified string instead of the raw address struct.
diff --git a/src/netlog/netlog-dtls.c b/src/netlog/netlog-dtls.c
@@ -21,6 +21,7 @@ static int dtls_write(DTLSManager *m, const char *buf, size_t count) {
 
         assert(m);
         assert(m->ssl);
+        assert(m->pretty_address);
         assert(buf);
         assert(count > 0);
         assert(count < INT_MAX);
@@ -30,9 +31,9 @@ static int dtls_write(DTLSManager *m, const char *buf, size_t count) {
         if (r <= 0) {
                 int error = SSL_get_error(m->ssl, r);
                 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE))
-                        return log_info_errno(SYNTHETIC_ERRNO(EAGAIN), "DTLS: Failed to invoke SSL_write: %s", TLS_ERROR_STRING(error));
+                        return log_info_errno(SYNTHETIC_ERRNO(EAGAIN), "DTLS: Failed to invoke SSL_write to %s: %s", m->pretty_address, TLS_ERROR_STRING(error));
                 else
-                        return log_error_errno(SYNTHETIC_ERRNO(EPIPE), "DTLS: Failed to invoke SSL_write: %s", TLS_ERROR_STRING(error));
+                        return log_error_errno(SYNTHETIC_ERRNO(EPIPE), "DTLS: Failed to invoke SSL_write to %s: %s", m->pretty_address, TLS_ERROR_STRING(error));
         }
 
         return log_debug("DTLS: Successful SSL_write: %d bytes", r);
@@ -120,8 +121,8 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
         if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE && m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID) {
                 log_debug("DTLS: enable certificate verification");
 
-                SSL_set_ex_data(ssl, 0, m);
-                SSL_set_ex_data(ssl, 1, address);
+                SSL_set_ex_data(ssl, EX_DATA_TLSMANAGER, m);
+                SSL_set_ex_data(ssl, EX_DATA_PRETTYADDRESS, pretty);
                 SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_certificate_validity);
         } else {
                 log_debug("DTLS: disable certificate verification");
@@ -158,6 +159,7 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
 
         m->ssl = TAKE_PTR(ssl);
         m->fd = TAKE_FD(fd);
+        m->pretty_address = TAKE_PTR(pretty);
 
         m->connected = true;
         return 0;
@@ -175,6 +177,7 @@ void dtls_disconnect(DTLSManager *m) {
                 m->ssl = NULL;
         }
 
+        m->pretty_address = mfree(m->pretty_address);
         m->fd = safe_close(m->fd);
         m->connected = false;
 }
diff --git a/src/netlog/netlog-dtls.h b/src/netlog/netlog-dtls.h
@@ -14,6 +14,7 @@ struct DTLSManager {
         SSL_CTX *ctx;
         SSL *ssl;
 
+        char *pretty_address;
         int fd;
         bool connected;
 
diff --git a/src/netlog/netlog-ssl.c b/src/netlog/netlog-ssl.c
@@ -10,25 +10,17 @@
 
 int ssl_verify_certificate_validity(int s, X509_STORE_CTX *store) {
         SSL* ssl = X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx());
-        SocketAddress *address = (SocketAddress *) SSL_get_ex_data(ssl, 1);
+        const char *pretty = (const char *) SSL_get_ex_data(ssl, EX_DATA_PRETTYADDRESS);
         _cleanup_(OPENSSL_freep) void *subject = NULL, *issuer = NULL;
-        TLSManager *m = (TLSManager *) SSL_get_ex_data(ssl, 0);
+        TLSManager *m = (TLSManager *) SSL_get_ex_data(ssl, EX_DATA_TLSMANAGER);
         X509 *cert = X509_STORE_CTX_get_current_cert(store);
         int depth = X509_STORE_CTX_get_error_depth(store);
         int error = X509_STORE_CTX_get_error(store);
         int verify_mode = SSL_get_verify_mode(ssl);
-        _cleanup_free_ char *pretty = NULL;
-        union sockaddr_union sa;
-        int r;
         long rc;
 
         assert(store);
 
-        r = sockaddr_pretty(&address->sockaddr.sa, address->sockaddr.sa.sa_family == AF_INET ?
-                            sizeof(sa.in) : sizeof(sa.in6), true, true, &pretty);
-        if (r < 0)
-                return r;
-
         log_debug("TLS: Verifying SSL certificates of server: %s", pretty);
 
         if (cert) {
diff --git a/src/netlog/netlog-ssl.h b/src/netlog/netlog-ssl.h
@@ -5,6 +5,9 @@
 
 #include "macro.h"
 
+#define EX_DATA_TLSMANAGER 0
+#define EX_DATA_PRETTYADDRESS 1
+
 int ssl_verify_certificate_validity(int status, X509_STORE_CTX *store);
 
 DEFINE_TRIVIAL_CLEANUP_FUNC(SSL_CTX*, SSL_CTX_free);
diff --git a/src/netlog/netlog-tls.c b/src/netlog/netlog-tls.c
@@ -31,6 +31,7 @@ static int tls_write(TLSManager *m, const char *buf, size_t count) {
 
         assert(m);
         assert(m->ssl);
+        assert(m->pretty_address);
         assert(buf);
         assert(count > 0);
         assert(count < INT_MAX);
@@ -40,9 +41,9 @@ static int tls_write(TLSManager *m, const char *buf, size_t count) {
         if (r <= 0) {
                 int error = SSL_get_error(m->ssl, r);
                 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE))
-                        return log_info_errno(SYNTHETIC_ERRNO(EAGAIN), "TLS: Failed to invoke SSL_write: %s", TLS_ERROR_STRING(error));
+                        return log_info_errno(SYNTHETIC_ERRNO(EAGAIN), "TLS: Failed to invoke SSL_write to %s: %s", m->pretty_address, TLS_ERROR_STRING(error));
                 else
-                        return log_error_errno(SYNTHETIC_ERRNO(EPIPE), "TLS: Failed to invoke SSL_write: %s", TLS_ERROR_STRING(error));
+                        return log_error_errno(SYNTHETIC_ERRNO(EPIPE), "TLS: Failed to invoke SSL_write to %s: %s", m->pretty_address, TLS_ERROR_STRING(error));
         }
 
         return log_debug("TLS: Successful TLS SSL_write: %d bytes", r);
@@ -119,8 +120,8 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
         if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE && m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID) {
                 log_debug("TLS: enable certificate verification");
 
-                SSL_set_ex_data(ssl, 0, m);
-                SSL_set_ex_data(ssl, 1, address);
+                SSL_set_ex_data(ssl, EX_DATA_TLSMANAGER, m);
+                SSL_set_ex_data(ssl, EX_DATA_PRETTYADDRESS, pretty);
 
                 SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_certificate_validity);
         } else {
@@ -158,6 +159,7 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
 
         m->ssl = TAKE_PTR(ssl);
         m->fd = TAKE_FD(fd);
+        m->pretty_address = TAKE_PTR(pretty);
 
         m->connected = true;
         return 0;
@@ -175,6 +177,7 @@ void tls_disconnect(TLSManager *m) {
                 m->ssl = NULL;
         }
 
+        m->pretty_address = mfree(m->pretty_address);
         m->fd = safe_close(m->fd);
         m->connected = false;
 }
diff --git a/src/netlog/netlog-tls.h b/src/netlog/netlog-tls.h
@@ -22,6 +22,7 @@ struct TLSManager {
         SSL_CTX *ctx;
         SSL *ssl;
 
+        char *pretty_address;
         int fd;
 
         bool connected;
