From 7f611f473268ed884dbc5bf0e91dfff84985d370 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Fri, 26 May 2006 16:32:16 +0000 Subject: if we're a server and some peer has a broken tls certificate, don't shout about it unless we want to hear about protocol violations. svn:r6507 --- src/common/tortls.c | 20 +++++++++++--------- src/common/tortls.h | 3 ++- src/or/connection_or.c | 6 ++++-- 3 files changed, 17 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/common/tortls.c b/src/common/tortls.c index a20414267..4c3108ad8 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -648,7 +648,8 @@ tor_tls_peer_has_cert(tor_tls_t *tls) * NUL-terminate. Return 0 on success, -1 on failure. */ int -tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen) +tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls, + char *buf, size_t buflen) { X509 *cert = NULL; X509_NAME *name = NULL; @@ -657,11 +658,11 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen) int r = -1; if (!(cert = SSL_get_peer_certificate(tls->ssl))) { - log_warn(LD_PROTOCOL, "Peer has no certificate"); + log_fn(severity, LD_PROTOCOL, "Peer has no certificate"); goto error; } if (!(name = X509_get_subject_name(cert))) { - log_warn(LD_PROTOCOL, "Peer certificate has no subject name"); + log_fn(severity, LD_PROTOCOL, "Peer certificate has no subject name"); goto error; } if ((nid = OBJ_txt2nid("commonName")) == NID_undef) @@ -671,12 +672,13 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen) if (lenout == -1) goto error; if (((int)strspn(buf, LEGAL_NICKNAME_CHARACTERS)) < lenout) { - log_warn(LD_PROTOCOL, - "Peer certificate nickname %s has illegal characters.", - escaped(buf)); + log_fn(severity, LD_PROTOCOL, + "Peer certificate nickname %s has illegal characters.", + escaped(buf)); if (strchr(buf, '.')) - log_warn(LD_PROTOCOL, " (Maybe it is not really running Tor at its " - "advertised OR port.)"); + log_fn(severity, LD_PROTOCOL, + " (Maybe it is not really running Tor at its " + "advertised OR port.)"); goto error; } @@ -686,7 +688,7 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen) if (cert) X509_free(cert); - tls_log_errors(LOG_WARN, "getting peer certificate nickname"); + tls_log_errors(severity, "getting peer certificate nickname"); return r; } diff --git a/src/common/tortls.h b/src/common/tortls.h index 9add9c7ce..82a64cb97 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -32,7 +32,8 @@ tor_tls_t *tor_tls_new(int sock, int is_server, int use_no_cert); int tor_tls_is_server(tor_tls_t *tls); void tor_tls_free(tor_tls_t *tls); int tor_tls_peer_has_cert(tor_tls_t *tls); -int tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen); +int tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls, + char *buf, size_t buflen); int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity); int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance); int tor_tls_read(tor_tls_t *tls, char *cp, size_t len); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 7fd717717..946cefbb2 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -581,11 +581,13 @@ connection_or_check_valid_handshake(connection_t *conn, char *digest_rcvd) check_no_tls_errors(); if (! tor_tls_peer_has_cert(conn->tls)) { - log_info(LD_PROTOCOL,"Peer didn't send a cert! Closing."); + log_info(LD_PROTOCOL,"Peer (%s:%d) didn't send a cert! Closing.", + conn->address, conn->port); return -1; } check_no_tls_errors(); - if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, sizeof(nickname))) { + if (tor_tls_get_peer_cert_nickname(severity, conn->tls, nickname, + sizeof(nickname))) { log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a " "valid nickname. Closing.", conn->address, conn->port); -- cgit v1.2.3