dovecot-2.1: *-login: If client certificate isn't valid, log the...

Wed Apr 25 21:32:08 EEST 2012

details:   http://hg.dovecot.org/dovecot-2.1/rev/36cde186aec6
changeset: 14480:36cde186aec6
user:      Timo Sirainen <tss at iki.fi>
date:      Wed Apr 25 21:28:16 2012 +0300
description:
*-login: If client certificate isn't valid, log the reason why.

diffstat:

 src/login-common/login-proxy.c       |   5 ++-
 src/login-common/ssl-proxy-openssl.c |  43 ++++++++++++++++++++++++-----------
 src/login-common/ssl-proxy.c         |   5 ++++
 src/login-common/ssl-proxy.h         |   1 +
 4 files changed, 38 insertions(+), 16 deletions(-)

diffs (120 lines):

diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/login-proxy.c

--- a/src/login-common/login-proxy.c	Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/login-proxy.c	Wed Apr 25 21:28:16 2012 +0300
@@ -516,8 +516,9 @@
 
 	if (ssl_proxy_has_broken_client_cert(proxy->ssl_server_proxy)) {
 		client_log_err(proxy->client, t_strdup_printf(
-			"proxy: Received invalid SSL certificate from %s:%u",
-			proxy->host, proxy->port));
+			"proxy: Received invalid SSL certificate from %s:%u: %s",
+			proxy->host, proxy->port,
+			ssl_proxy_get_cert_error(proxy->ssl_server_proxy)));
 	} else if (!ssl_proxy_has_valid_client_cert(proxy->ssl_server_proxy)) {
 		client_log_err(proxy->client, t_strdup_printf(
 			"proxy: SSL certificate not received from %s:%u",
diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Wed Apr 25 21:28:16 2012 +0300
@@ -66,6 +66,7 @@
 	ssl_handshake_callback_t *handshake_callback;
 	void *handshake_context;
 
+	const char *cert_error;
 	char *last_error;
 	unsigned int handshaked:1;
 	unsigned int destroyed:1;
@@ -754,6 +755,12 @@
 #endif
 }
 
+const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy)
+{
+	return proxy->cert_error != NULL ? proxy->cert_error :
+		"(Unknown error)";
+}
+
 void ssl_proxy_free(struct ssl_proxy **_proxy)
 {
 	struct ssl_proxy *proxy = *_proxy;
@@ -849,32 +856,40 @@
 {
 	SSL *ssl;
         struct ssl_proxy *proxy;
+	char buf[1024];
+	X509_NAME *subject;
 
 	ssl = X509_STORE_CTX_get_ex_data(ctx,
 					 SSL_get_ex_data_X509_STORE_CTX_idx());
 	proxy = SSL_get_ex_data(ssl, extdata_index);
 	proxy->cert_received = TRUE;
 
-	if (proxy->set->verbose_ssl ||
-	    (proxy->set->auth_verbose && !preverify_ok)) {
-		char buf[1024];
-		X509_NAME *subject;
-
-		subject = X509_get_subject_name(ctx->current_cert);
-		(void)X509_NAME_oneline(subject, buf, sizeof(buf));
-		buf[sizeof(buf)-1] = '\0'; /* just in case.. */
-		if (!preverify_ok)
-			i_info("Invalid certificate: %s: %s", X509_verify_cert_error_string(ctx->error),buf);
-		else
-			i_info("Valid certificate: %s", buf);
-	}
-	if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL && proxy->client_proxy) {
+	if (proxy->client_proxy && ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) {
 		/* no CRL given with the CA list. don't worry about it. */
 		preverify_ok = 1;
 	}
 	if (!preverify_ok)
 		proxy->cert_broken = TRUE;
 
+	subject = X509_get_subject_name(ctx->current_cert);
+	(void)X509_NAME_oneline(subject, buf, sizeof(buf));
+	buf[sizeof(buf)-1] = '\0'; /* just in case.. */
+
+	if (proxy->cert_error == NULL) {
+		proxy->cert_error = p_strdup_printf(proxy->client->pool, "%s: %s",
+			X509_verify_cert_error_string(ctx->error), buf);
+	}
+
+	if (proxy->set->verbose_ssl ||
+	    (proxy->set->auth_verbose && !preverify_ok)) {
+		if (preverify_ok)
+			i_info("Valid certificate: %s", buf);
+		else {
+			i_info("Invalid certificate: %s: %s",
+			       X509_verify_cert_error_string(ctx->error), buf);
+		}
+	}
+
 	/* Return success anyway, because if ssl_require_client_cert=no we
 	   could still allow authentication. */
 	return 1;
diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy.c
--- a/src/login-common/ssl-proxy.c	Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/ssl-proxy.c	Wed Apr 25 21:28:16 2012 +0300
@@ -79,6 +79,11 @@
 	return NULL;
 }
 
+const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy ATTR_UNUSED)
+{
+	return "";
+}
+
 void ssl_proxy_free(struct ssl_proxy **proxy ATTR_UNUSED) {}
 
 unsigned int ssl_proxy_get_count(void)
diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy.h
--- a/src/login-common/ssl-proxy.h	Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/ssl-proxy.h	Wed Apr 25 21:28:16 2012 +0300
@@ -30,6 +30,7 @@
 const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) ATTR_PURE;
 const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy);
 const char *ssl_proxy_get_compression(struct ssl_proxy *proxy);
+const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy);
 void ssl_proxy_free(struct ssl_proxy **proxy);
 
 /* Return number of active SSL proxies */
