From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Tue, 18 Jun 2024 17:20:44 +0000 (+0200)
Subject: daemon/tls: print IP when failing certificate check
X-Git-Tag: v5.7.4~2^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efc765b8ce80ca359c506eee9ae45992cb91bcc6;p=thirdparty%2Fknot-resolver.git

daemon/tls: print IP when failing certificate check
---

diff --git a/daemon/tls.c b/daemon/tls.c
index 0ab396827..e821ff964 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -992,7 +992,7 @@ static int client_verify_pin(const unsigned int cert_list_size,
  *
  * \returns GNUTLS_E_SUCCESS if certificate chain is valid, any other value is an error
  */
-static int client_verify_certchain(gnutls_session_t tls_session, const char *hostname)
+static int client_verify_certchain(struct tls_common_ctx *ctx, const char *hostname)
 {
 	if (kr_fails_assert(hostname)) {
 		kr_log_error(TLSCLIENT, "internal config inconsistency: no hostname set\n");
@@ -1000,27 +1000,30 @@ static int client_verify_certchain(gnutls_session_t tls_session, const char *hos
 	}
 
 	unsigned int status;
-	int ret = gnutls_certificate_verify_peers3(tls_session, hostname, &status);
+	int ret = gnutls_certificate_verify_peers3(ctx->tls_session, hostname, &status);
 	if ((ret == GNUTLS_E_SUCCESS) && (status == 0)) {
 		return GNUTLS_E_SUCCESS;
 	}
 
+	const char *addr_str = kr_straddr(session_get_peer(ctx->session));
 	if (ret == GNUTLS_E_SUCCESS) {
 		gnutls_datum_t msg;
 		ret = gnutls_certificate_verification_status_print(
-			status, gnutls_certificate_type_get(tls_session), &msg, 0);
+			status, gnutls_certificate_type_get(ctx->tls_session), &msg, 0);
 		if (ret == GNUTLS_E_SUCCESS) {
-			kr_log_error(TLSCLIENT, "failed to verify peer certificate: "
-					"%s\n", msg.data);
+			kr_log_error(TLSCLIENT, "failed to verify peer certificate of %s: "
+					"%s\n", addr_str, msg.data);
 			gnutls_free(msg.data);
 		} else {
-			kr_log_error(TLSCLIENT, "failed to verify peer certificate: "
+			kr_log_error(TLSCLIENT, "failed to verify peer certificate of %s: "
 					"unable to print reason: %s (%s)\n",
+					addr_str,
 					gnutls_strerror(ret), gnutls_strerror_name(ret));
 		} /* gnutls_certificate_verification_status_print end */
 	} else {
-		kr_log_error(TLSCLIENT, "failed to verify peer certificate: "
+		kr_log_error(TLSCLIENT, "failed to verify peer certificate of %s: "
 			     "gnutls_certificate_verify_peers3 error: %s (%s)\n",
+			     addr_str,
 			     gnutls_strerror(ret), gnutls_strerror_name(ret));
 	} /* gnutls_certificate_verify_peers3 end */
 	return GNUTLS_E_CERTIFICATE_ERROR;
@@ -1059,7 +1062,7 @@ static int client_verify_certificate(gnutls_session_t tls_session)
 		/* check hash of the certificate but ignore everything else */
 		return client_verify_pin(cert_list_size, cert_list, ctx->params);
 	else
-		return client_verify_certchain(ctx->c.tls_session, ctx->params->hostname);
+		return client_verify_certchain(&ctx->c, ctx->params->hostname);
 }
 
 struct tls_client_ctx *tls_client_ctx_new(tls_client_param_t *entry,