Skip to content

Commit da7f295

Browse files
cgzonescgzones
committed
Split SSL verification into new source file
The SSL verification is used by TLS and DTLS, refactor to a separate translation unit.
1 parent a673318 commit da7f295

File tree

6 files changed

+125
-103
lines changed

6 files changed

+125
-103
lines changed

src/meson.build

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,8 @@ systemd_netlogd_sources = files('''
120120
netlog/netlog-protocol.h
121121
netlog/netlog-dtls.c
122122
netlog/netlog-dtls.h
123+
netlog/netlog-ssl.c
124+
netlog/netlog-ssl.h
123125
netlog/netlog-tls.c
124126
netlog/netlog-tls.h
125127
'''.split())

src/netlog/netlog-dtls.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
/* SPDX-License-Identifier: LGPL-2.1-or-later */
22

3+
#include "netlog-dtls.h"
4+
35
#include <arpa/inet.h>
46
#include <netinet/in.h>
57
#include <openssl/bio.h>
@@ -11,7 +13,8 @@
1113
#include "fd-util.h"
1214
#include "io-util.h"
1315
#include "iovec-util.h"
14-
#include "netlog-dtls.h"
16+
17+
#include "netlog-ssl.h"
1518

1619
static int dtls_write(DTLSManager *m, const char *buf, size_t count) {
1720
int r;

src/netlog/netlog-ssl.c

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
/* SPDX-License-Identifier: LGPL-2.1-or-later */
2+
3+
#include "netlog-ssl.h"
4+
5+
#include "alloc-util.h"
6+
#include "openssl-util.h"
7+
#include "socket-util.h"
8+
9+
#include "netlog-tls.h"
10+
11+
int ssl_verify_certificate_validity(int s, X509_STORE_CTX *store) {
12+
SSL* ssl = X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx());
13+
SocketAddress *address = (SocketAddress *) SSL_get_ex_data(ssl, 1);
14+
_cleanup_(OPENSSL_freep) void *subject = NULL, *issuer = NULL;
15+
TLSManager *m = (TLSManager *) SSL_get_ex_data(ssl, 0);
16+
X509 *cert = X509_STORE_CTX_get_current_cert(store);
17+
int depth = X509_STORE_CTX_get_error_depth(store);
18+
int error = X509_STORE_CTX_get_error(store);
19+
int verify_mode = SSL_get_verify_mode(ssl);
20+
_cleanup_free_ char *pretty = NULL;
21+
union sockaddr_union sa;
22+
int r;
23+
long rc;
24+
25+
assert(store);
26+
27+
r = sockaddr_pretty(&address->sockaddr.sa, address->sockaddr.sa.sa_family == AF_INET ?
28+
sizeof(sa.in) : sizeof(sa.in6), true, true, &pretty);
29+
if (r < 0)
30+
return r;
31+
32+
log_debug("TLS: Verifying SSL certificates of server: %s", pretty);
33+
34+
if (cert) {
35+
subject = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
36+
issuer = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
37+
}
38+
39+
if (verify_mode == SSL_VERIFY_NONE) {
40+
log_debug("TLS: SSL Certificate validation DISABLED but Error at depth: %d, issuer=%s, subject=%s: server=%s %s",
41+
depth, (char *) subject, (char *) issuer, pretty, X509_verify_cert_error_string(error));
42+
43+
return 1;
44+
}
45+
46+
rc = SSL_get_verify_result(ssl);
47+
if (rc != X509_V_OK) {
48+
switch(rc) {
49+
case X509_V_ERR_CERT_HAS_EXPIRED: {
50+
switch (m->auth_mode) {
51+
case OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY: {
52+
log_error_errno(SYNTHETIC_ERRNO(EINVAL),
53+
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
54+
return 0;
55+
}
56+
break;
57+
case OPEN_SSL_CERTIFICATE_AUTH_MODE_WARN: {
58+
log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
59+
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
60+
61+
return 1;
62+
}
63+
break;
64+
case OPEN_SSL_CERTIFICATE_AUTH_MODE_ALLOW: {
65+
log_debug("TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
66+
return 1;
67+
}
68+
69+
break;
70+
default:
71+
break;
72+
}}
73+
break;
74+
case X509_V_ERR_CERT_REVOKED: {
75+
switch (m->auth_mode) {
76+
case OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY: {
77+
log_error_errno(SYNTHETIC_ERRNO(EINVAL),
78+
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
79+
return 0;
80+
}
81+
break;
82+
case OPEN_SSL_CERTIFICATE_AUTH_MODE_WARN: {
83+
log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
84+
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
85+
86+
return 1;
87+
}
88+
break;
89+
case OPEN_SSL_CERTIFICATE_AUTH_MODE_ALLOW: {
90+
log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
91+
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
92+
return 1;
93+
}
94+
break;
95+
default:
96+
break;
97+
}}
98+
break;
99+
default:
100+
log_error("TLS: Failed to validate remote certificate server=%s: %s. Aborting connection ...", pretty, X509_verify_cert_error_string(rc));
101+
return 0;
102+
}
103+
}
104+
105+
log_debug("TLS: SSL certificates verified server=%s: %s", pretty, X509_verify_cert_error_string(rc));
106+
107+
return 1;
108+
}

src/netlog/netlog-ssl.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
/* SPDX-License-Identifier: LGPL-2.1-or-later */
2+
#pragma once
3+
4+
#include <openssl/ssl.h>
5+
6+
int ssl_verify_certificate_validity(int status, X509_STORE_CTX *store);

src/netlog/netlog-tls.c

Lines changed: 5 additions & 100 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
/* SPDX-License-Identifier: LGPL-2.1-or-later */
22

3+
#include "netlog-tls.h"
4+
35
#include <arpa/inet.h>
46
#include <netinet/in.h>
57
#include <openssl/bio.h>
@@ -11,9 +13,11 @@
1113
#include "fd-util.h"
1214
#include "io-util.h"
1315
#include "iovec-util.h"
14-
#include "netlog-tls.h"
16+
1517
#include "string-table.h"
1618

19+
#include "netlog-ssl.h"
20+
1721
static const char *const certificate_auth_mode_table[OPEN_SSL_CERTIFICATE_AUTH_MODE_MAX] = {
1822
[OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE] = "no",
1923
[OPEN_SSL_CERTIFICATE_AUTH_MODE_ALLOW] = "allow",
@@ -23,105 +27,6 @@ static const char *const certificate_auth_mode_table[OPEN_SSL_CERTIFICATE_AUTH_M
2327

2428
DEFINE_STRING_TABLE_LOOKUP(certificate_auth_mode, int);
2529

26-
int ssl_verify_certificate_validity(int s, X509_STORE_CTX *store) {
27-
SSL* ssl = X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx());
28-
SocketAddress *address = (SocketAddress *) SSL_get_ex_data(ssl, 1);
29-
_cleanup_(OPENSSL_freep) void *subject = NULL, *issuer = NULL;
30-
TLSManager *m = (TLSManager *) SSL_get_ex_data(ssl, 0);
31-
X509 *cert = X509_STORE_CTX_get_current_cert(store);
32-
int depth = X509_STORE_CTX_get_error_depth(store);
33-
int error = X509_STORE_CTX_get_error(store);
34-
int verify_mode = SSL_get_verify_mode(ssl);
35-
_cleanup_free_ char *pretty = NULL;
36-
union sockaddr_union sa;
37-
int r;
38-
long rc;
39-
40-
assert(store);
41-
42-
r = sockaddr_pretty(&address->sockaddr.sa, address->sockaddr.sa.sa_family == AF_INET ?
43-
sizeof(sa.in) : sizeof(sa.in6), true, true, &pretty);
44-
if (r < 0)
45-
return r;
46-
47-
log_debug("TLS: Verifying SSL certificates of server: %s", pretty);
48-
49-
if (cert) {
50-
subject = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
51-
issuer = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
52-
}
53-
54-
if (verify_mode == SSL_VERIFY_NONE) {
55-
log_debug("TLS: SSL Certificate validation DISABLED but Error at depth: %d, issuer=%s, subject=%s: server=%s %s",
56-
depth, (char *) subject, (char *) issuer, pretty, X509_verify_cert_error_string(error));
57-
58-
return 1;
59-
}
60-
61-
rc = SSL_get_verify_result(ssl);
62-
if (rc != X509_V_OK) {
63-
switch(rc) {
64-
case X509_V_ERR_CERT_HAS_EXPIRED: {
65-
switch (m->auth_mode) {
66-
case OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY: {
67-
log_error_errno(SYNTHETIC_ERRNO(EINVAL),
68-
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
69-
return 0;
70-
}
71-
break;
72-
case OPEN_SSL_CERTIFICATE_AUTH_MODE_WARN: {
73-
log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
74-
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
75-
76-
return 1;
77-
}
78-
break;
79-
case OPEN_SSL_CERTIFICATE_AUTH_MODE_ALLOW: {
80-
log_debug("TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
81-
return 1;
82-
}
83-
84-
break;
85-
default:
86-
break;
87-
}}
88-
break;
89-
case X509_V_ERR_CERT_REVOKED: {
90-
switch (m->auth_mode) {
91-
case OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY: {
92-
log_error_errno(SYNTHETIC_ERRNO(EINVAL),
93-
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
94-
return 0;
95-
}
96-
break;
97-
case OPEN_SSL_CERTIFICATE_AUTH_MODE_WARN: {
98-
log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
99-
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
100-
101-
return 1;
102-
}
103-
break;
104-
case OPEN_SSL_CERTIFICATE_AUTH_MODE_ALLOW: {
105-
log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
106-
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(rc));
107-
return 1;
108-
}
109-
break;
110-
default:
111-
break;
112-
}}
113-
break;
114-
default:
115-
log_error("TLS: Failed to validate remote certificate server=%s: %s. Aborting connection ...", pretty, X509_verify_cert_error_string(rc));
116-
return 0;
117-
}
118-
}
119-
120-
log_debug("TLS: SSL certificates verified server=%s: %s", pretty, X509_verify_cert_error_string(rc));
121-
122-
return 1;
123-
}
124-
12530
static int tls_write(TLSManager *m, const char *buf, size_t count) {
12631
int r;
12732

src/netlog/netlog-tls.h

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,6 @@ void tls_disconnect(TLSManager *m);
3838

3939
int tls_stream_writev(TLSManager *m, const struct iovec *iov, size_t iovcnt);
4040

41-
int ssl_verify_certificate_validity(int status, X509_STORE_CTX *store);
42-
4341
const char *certificate_auth_mode_to_string(int v) _const_;
4442
int certificate_auth_mode_from_string(const char *s) _pure_;
4543

0 commit comments

Comments
 (0)