mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

logsrvd,plugins/sudoers: add debug log on TLS verification error

Browse Source
This commit is contained in:
Robert Manner 2024-05-15 08:31:57 +02:00 committed by Todd C. Miller
parent f2a979f408
commit ba29f54d97
3 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
logsrvd/logsrvd.c
View File

@ -1259,15 +1259,24 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
X509 *peer_cert; X509 *peer_cert;
debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL); debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL);
current_cert = X509_STORE_CTX_get_current_cert(ctx);
/* if pre-verification of the cert failed, just propagate that result back */ /* if pre-verification of the cert failed, just propagate that result back */
if (preverify_ok != 1) { if (preverify_ok != 1) {
int err = X509_STORE_CTX_get_error(ctx);
char current_cert_name[256] = "";
if (current_cert != NULL)
X509_NAME_oneline(X509_get_subject_name(current_cert), current_cert_name, sizeof(current_cert_name));
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"TLS verification failed for cert '%s': '%d:%s'", current_cert_name,
err, X509_verify_cert_error_string(err));
debug_return_int(0); debug_return_int(0);
} }
/* since this callback is called for each cert in the chain, /* since this callback is called for each cert in the chain,
* check that current cert is the peer's certificate * check that current cert is the peer's certificate
*/ */
current_cert = X509_STORE_CTX_get_current_cert(ctx);
peer_cert = X509_STORE_CTX_get0_cert(ctx); peer_cert = X509_STORE_CTX_get0_cert(ctx);
if (current_cert != peer_cert) { if (current_cert != peer_cert) {

11
logsrvd/tls_client.c
View File

@ -67,8 +67,18 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
X509 *peer_cert; X509 *peer_cert;
debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL); debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL);
current_cert = X509_STORE_CTX_get_current_cert(ctx);
/* if pre-verification of the cert failed, just propagate that result back */ /* if pre-verification of the cert failed, just propagate that result back */
if (preverify_ok != 1) { if (preverify_ok != 1) {
int err = X509_STORE_CTX_get_error(ctx);
char current_cert_name[256] = "";
if (current_cert != NULL)
X509_NAME_oneline(X509_get_subject_name(current_cert), current_cert_name, sizeof(current_cert_name));
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"TLS verification failed for cert '%s': '%d:%s'", current_cert_name,
err, X509_verify_cert_error_string(err));
debug_return_int(0); debug_return_int(0);
} }
@ -76,7 +86,6 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
* Since this callback is called for each cert in the chain, * Since this callback is called for each cert in the chain,
* check that current cert is the peer's certificate * check that current cert is the peer's certificate
*/ */
current_cert = X509_STORE_CTX_get_current_cert(ctx);
peer_cert = X509_STORE_CTX_get0_cert(ctx); peer_cert = X509_STORE_CTX_get0_cert(ctx);
if (current_cert != peer_cert) { if (current_cert != peer_cert) {
debug_return_int(1); debug_return_int(1);

11
plugins/sudoers/log_client.c
View File

@ -149,15 +149,24 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
X509 *peer_cert; X509 *peer_cert;
debug_decl(verify_peer_identity, SUDOERS_DEBUG_UTIL); debug_decl(verify_peer_identity, SUDOERS_DEBUG_UTIL);
current_cert = X509_STORE_CTX_get_current_cert(ctx);
/* if pre-verification of the cert failed, just propagate that result back */ /* if pre-verification of the cert failed, just propagate that result back */
if (preverify_ok != 1) { if (preverify_ok != 1) {
int err = X509_STORE_CTX_get_error(ctx);
char current_cert_name[256] = "";
if (current_cert != NULL)
X509_NAME_oneline(X509_get_subject_name(current_cert), current_cert_name, sizeof(current_cert_name));
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"TLS verification failed for cert '%s': '%d:%s'", current_cert_name,
err, X509_verify_cert_error_string(err));
debug_return_int(0); debug_return_int(0);
} }
/* since this callback is called for each cert in the chain, /* since this callback is called for each cert in the chain,
* check that current cert is the peer's certificate * check that current cert is the peer's certificate
*/ */
current_cert = X509_STORE_CTX_get_current_cert(ctx);
peer_cert = X509_STORE_CTX_get0_cert(ctx); peer_cert = X509_STORE_CTX_get0_cert(ctx);
if (current_cert != peer_cert) { if (current_cert != peer_cert) {