cbiedl
/
ngircd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118
							From 4384e600b9d709551deb8e2c93754f5af1a24161 Mon Sep 17 00:00:00 2001
From: Alexander Barton <alex@barton.de>
Date: Fri, 5 Jan 2024 22:29:40 +0100
Subject: [PATCH 13/20] S2S-TLS/GnuTLS: Fix handling of certificate information
 for incoming connections

Show proper certificate information for incoming connections, too, and
not "peer did not present a certificate", regardless if the client sent
a certificate or not.

This change is for GnuTLS and similar to what was implemented in commit
for OpenSSL in "S2S-TLS/OpenSSL: Fix handling of certificate information
for incoming connections".

(cherry picked from commit 509ff6032686662328f4ecb0c5c287a34e929c53)
---
 src/ngircd/conn-ssl.c | 75 ++++++++++++++++++++++++-------------------
 1 file changed, 42 insertions(+), 33 deletions(-)

--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -667,6 +667,7 @@
 #ifdef HAVE_LIBGNUTLS
 	int err;
 
+	(void)s;
 	err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_CLIENT);
 	if (err) {
 		Log(LOG_ERR, "Failed to initialize new SSL session: %s",
@@ -916,29 +917,8 @@
 	    gnutls_cipher_get_name(cipher),
 	    gnutls_mac_get_name(gnutls_mac_get(sess)));
 	cred = gnutls_auth_get_type(c->ssl_state.gnutls_session);
-	if (cred == GNUTLS_CRD_CERTIFICATE && connect) {
+	if (cred == GNUTLS_CRD_CERTIFICATE) {
 		cert_seen = true;
-		int verify =
-		    gnutls_certificate_verify_peers2(c->
-						     ssl_state.gnutls_session,
-						     &status);
-		if (verify < 0) {
-			Log(LOG_ERR,
-			    "gnutls_certificate_verify_peers2 failed: %s",
-			    gnutls_strerror(verify));
-			goto done_cn_validation;
-		} else if (status) {
-			gnutls_datum_t out;
-
-			if (gnutls_certificate_verification_status_print
-			    (status, gnutls_certificate_type_get(sess), &out,
-			     0) == GNUTLS_E_SUCCESS) {
-				Log(LOG_ERR,
-				    "Certificate validation failed: %s",
-				    out.data);
-				gnutls_free(out.data);
-			}
-		}
 
 		gnutls_x509_crt_t cert;
 		unsigned cert_list_size;
@@ -962,17 +942,46 @@
 			    gnutls_strerror(err));
 			goto done_cn_validation;
 		}
-		err = gnutls_x509_crt_check_hostname(cert, c->host);
-		if (err == 0)
-			Log(LOG_ERR,
-			    "Failed to verify the hostname, expected \"%s\"",
-			    c->host);
-		else
-			cert_ok = verify == 0 && status == 0;
-
-		snprintf(msg, sizeof(msg), "%svalid peer certificate",
-			cert_ok ? "" : "in");
-		LogGnuTLS_CertInfo(cert_ok ? LOG_DEBUG : LOG_ERR, cert, msg);
+
+		if (connect) {
+			int verify =
+			    gnutls_certificate_verify_peers2(c->
+							     ssl_state.gnutls_session,
+							     &status);
+			if (verify < 0) {
+				Log(LOG_ERR,
+				    "gnutls_certificate_verify_peers2 failed: %s",
+				    gnutls_strerror(verify));
+				goto done_cn_validation;
+			} else if (status) {
+				gnutls_datum_t out;
+
+				if (gnutls_certificate_verification_status_print
+				    (status, gnutls_certificate_type_get(sess), &out,
+				     0) == GNUTLS_E_SUCCESS) {
+					Log(LOG_ERR,
+					    "Certificate validation failed: %s",
+					    out.data);
+					gnutls_free(out.data);
+				}
+			}
+
+			err = gnutls_x509_crt_check_hostname(cert, c->host);
+			if (err == 0)
+				Log(LOG_ERR,
+				    "Failed to verify the hostname, expected \"%s\"",
+				    c->host);
+			else
+				cert_ok = verify == 0 && status == 0;
+
+			snprintf(msg, sizeof(msg), "Got %svalid server certificate",
+				cert_ok ? "" : "in");
+			LogGnuTLS_CertInfo(LOG_INFO, cert, msg);
+		} else {
+			/* Incoming connection. Please see comments for OpenSSL! */
+			LogGnuTLS_CertInfo(LOG_INFO, cert,
+					    "Got unchecked peer certificate");
+		}
 
 		gnutls_x509_crt_deinit(cert);
 done_cn_validation: