From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 12 Feb 2020 14:23:58 +0000 (+0100)
Subject: dnstap io, check peer verification in dtstream dtio_ssl_handshake.
X-Git-Tag: release-1.11.0~120^2~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25a88d6d54ba94f9024a0b6efa053d9ec1f6df58;p=thirdparty%2Funbound.git

dnstap io, check peer verification in dtstream dtio_ssl_handshake.
---

diff --git a/dnstap/dtstream.c b/dnstap/dtstream.c
index 0ea933dc9..067f4a2db 100644
--- a/dnstap/dtstream.c
+++ b/dnstap/dtstream.c
@@ -987,6 +987,60 @@ static int dtio_ssl_handshake(struct dt_io_thread* dtio,
 	}
 	/* check peer verification */
 	dtio->ssl_handshake_done = 1;
+
+        if((SSL_get_verify_mode(dtio->ssl)&SSL_VERIFY_PEER)) {
+		/* verification */
+		if(SSL_get_verify_result(dtio->ssl) == X509_V_OK) {
+			X509* x = SSL_get_peer_certificate(dtio->ssl);
+			if(!x) {
+				verbose(VERB_ALGO, "dnstap io, %s, SSL "
+					"connection failed no certificate",
+					dtio->ip_str);
+				/* closed */
+				if(info) dtio_stop_flush_exit(info);
+				dtio_del_output_event(dtio);
+				dtio_close_output(dtio);
+				return 0;
+			}
+			log_cert(VERB_ALGO, "dnstap io, peer certificate",
+				x);
+#ifdef HAVE_SSL_GET0_PEERNAME
+			if(SSL_get0_peername(dtio->ssl)) {
+				verbose(VERB_ALGO, "dnstap io, %s, SSL "
+					"connection to %s authenticated",
+					dtio->ip_str,
+					SSL_get0_peername(dtio->ssl));
+			} else {
+#endif
+				verbose(VERB_ALGO, "dnstap io, %s, SSL "
+					"connection authenticated",
+					dtio->ip_str);
+#ifdef HAVE_SSL_GET0_PEERNAME
+			}
+#endif
+			X509_free(x);
+		} else {
+			X509* x = SSL_get_peer_certificate(dtio->ssl);
+			if(x) {
+				log_cert(VERB_ALGO, "dnstap io, peer "
+					"certificate", x);
+				X509_free(x);
+			}
+			verbose(VERB_ALGO, "dnstap io, %s, SSL connection "
+				"failed: failed to authenticate",
+				dtio->ip_str);
+			/* closed */
+			if(info) dtio_stop_flush_exit(info);
+			dtio_del_output_event(dtio);
+			dtio_close_output(dtio);
+			return 0;
+		}
+	} else {
+		/* unauthenticated, the verify peer flag was not set
+		 * in ssl when the ssl object was created from ssl_ctx */
+		verbose(VERB_ALGO, "dnstap io, %s, SSL connection",
+			dtio->ip_str);
+	}
 	return 1;
 }
 
diff --git a/util/net_help.c b/util/net_help.c
index 7e0a7ac08..007eaff0b 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -829,6 +829,32 @@ void log_crypto_err_code(const char* str, unsigned long err)
 #endif /* HAVE_SSL */
 }
 
+#ifdef HAVE_SSL
+/** log certificate details */
+void
+log_cert(unsigned level, const char* str, void* cert)
+{
+	BIO* bio;
+	char nul = 0;
+	char* pp = NULL;
+	long len;
+	if(verbosity < level) return;
+	bio = BIO_new(BIO_s_mem());
+	if(!bio) return;
+	X509_print_ex(bio, (X509*)cert, 0, (unsigned long)-1
+		^(X509_FLAG_NO_SUBJECT
+                        |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY
+			|X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX
+			|X509_FLAG_NO_ATTRIBUTES));
+	BIO_write(bio, &nul, (int)sizeof(nul));
+	len = BIO_get_mem_data(bio, &pp);
+	if(len != 0 && pp) {
+		verbose(level, "%s: \n%s", str, pp);
+	}
+	BIO_free(bio);
+}
+#endif /* HAVE_SSL */
+
 int
 listen_sslctx_setup(void* ctxt)
 {
diff --git a/util/net_help.h b/util/net_help.h
index b621639c0..6df9f9b39 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -385,6 +385,14 @@ void log_crypto_err(const char* str);
  */
 void log_crypto_err_code(const char* str, unsigned long err);
 
+/**
+ * Log certificate details verbosity, string, of X509 cert
+ * @param level: verbosity level
+ * @param str: string to prefix on output
+ * @param cert: X509* structure.
+ */
+void log_cert(unsigned level, const char* str, void* cert);
+
 /**
  * Set SSL_OP_NOxxx options on SSL context to disable bad crypto
  * @param ctxt: SSL_CTX*
diff --git a/util/netevent.c b/util/netevent.c
index e334e5008..090238384 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -1026,32 +1026,6 @@ tcp_callback_reader(struct comm_point* c)
 	}
 }
 
-#ifdef HAVE_SSL
-/** log certificate details */
-static void
-log_cert(unsigned level, const char* str, X509* cert)
-{
-	BIO* bio;
-	char nul = 0;
-	char* pp = NULL;
-	long len;
-	if(verbosity < level) return;
-	bio = BIO_new(BIO_s_mem());
-	if(!bio) return;
-	X509_print_ex(bio, cert, 0, (unsigned long)-1
-		^(X509_FLAG_NO_SUBJECT
-                        |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY
-			|X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX
-			|X509_FLAG_NO_ATTRIBUTES));
-	BIO_write(bio, &nul, (int)sizeof(nul));
-	len = BIO_get_mem_data(bio, &pp);
-	if(len != 0 && pp) {
-		verbose(level, "%s: \n%s", str, pp);
-	}
-	BIO_free(bio);
-}
-#endif /* HAVE_SSL */
-
 #ifdef HAVE_SSL
 /** true if the ssl handshake error has to be squelched from the logs */
 int