Skip to content

Commit

Permalink
Merge pull request #5348 from alorbach/pr-issue-5340
Browse files Browse the repository at this point in the history 
NET-OSSL driver: Created interfaces for exported functions
  • Loading branch information
@rgerhards
rgerhards committed Mar 28, 2024
2 parents 22f52f1 + 5a97e65 commit e5739a8
Show file tree
Hide file tree
Showing 7 changed files with 81 additions and 72 deletions.
4 changes: 2 additions & 2 deletions plugins/imdtls/Makefile.am
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
pkglib_LTLIBRARIES = imdtls.la
imdtls_la_DEPENDENCIES = ../../runtime/lmnsd_ossl.la
imdtls_la_DEPENDENCIES =
imdtls_la_SOURCES = imdtls.c
imdtls_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) $(OPENSSL_CFLAGS)
imdtls_la_LDFLAGS = -module -avoid-version
imdtls_la_LIBADD = $(OPENSSL_LIBS) ../../runtime/lmnsd_ossl.la
imdtls_la_LIBADD = $(OPENSSL_LIBS)
32 changes: 16 additions & 16 deletions plugins/imdtls/imdtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,24 +314,24 @@ imdtls_verify_callback(int status, SSL* ssl)
switch(inst->pNetOssl->authMode) {
case OSSL_AUTH_CERTNAME:
/* if we check the name, we must ensure the cert is valid */
certpeer = net_ossl_getpeercert(inst->pNetOssl, ssl, NULL);
certpeer = net_ossl.osslGetpeercert(inst->pNetOssl, ssl, NULL);
dbgprintf("imdtls_verify_callback: Check peer certname[%p]=%s\n",
(void *)ssl, (certpeer != NULL ? "VALID" : "NULL"));
CHKiRet(net_ossl_chkpeercertvalidity(inst->pNetOssl, ssl, NULL));
CHKiRet(net_ossl_chkpeername(inst->pNetOssl, certpeer, NULL));
CHKiRet(net_ossl.osslChkpeercertvalidity(inst->pNetOssl, ssl, NULL));
CHKiRet(net_ossl.osslChkpeername(inst->pNetOssl, certpeer, NULL));
break;
case OSSL_AUTH_CERTFINGERPRINT:
certpeer = net_ossl_getpeercert(inst->pNetOssl, ssl, NULL);
certpeer = net_ossl.osslGetpeercert(inst->pNetOssl, ssl, NULL);
dbgprintf("imdtls_verify_callback: Check peer fingerprint[%p]=%s\n",
(void *)ssl, (certpeer != NULL ? "VALID" : "NULL"));
CHKiRet(net_ossl_chkpeercertvalidity(inst->pNetOssl, ssl, NULL));
CHKiRet(net_ossl_peerfingerprint(inst->pNetOssl, certpeer, NULL));
CHKiRet(net_ossl.osslChkpeercertvalidity(inst->pNetOssl, ssl, NULL));
CHKiRet(net_ossl.osslPeerfingerprint(inst->pNetOssl, certpeer, NULL));
break;
case OSSL_AUTH_CERTVALID:
certpeer = net_ossl_getpeercert(inst->pNetOssl, ssl, NULL);
certpeer = net_ossl.osslGetpeercert(inst->pNetOssl, ssl, NULL);
dbgprintf("imdtls_verify_callback: Check peer valid[%p]=%s\n",
(void *)ssl, (certpeer != NULL ? "VALID" : "NULL"));
CHKiRet(net_ossl_chkpeercertvalidity(inst->pNetOssl, ssl, NULL));
CHKiRet(net_ossl.osslChkpeercertvalidity(inst->pNetOssl, ssl, NULL));
break;
case OSSL_AUTH_CERTANON:
dbgprintf("imdtls_verify_callback: ANON[%p]\n", (void *)ssl);
Expand Down Expand Up @@ -401,7 +401,7 @@ addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst)
CHKiRet(net_ossl.osslCtxInitCookie(inst->pNetOssl));
# endif
// Run openssl config commands in Context
CHKiRet(net_ossl_apply_tlscgfcmd(inst->pNetOssl, inst->tlscfgcmd));
CHKiRet(net_ossl.osslApplyTlscgfcmd(inst->pNetOssl, inst->tlscfgcmd));

// Init Socket
CHKiRet(DTLSCreateSocket(inst));
Expand Down Expand Up @@ -499,13 +499,13 @@ DTLSAcceptSession(instanceConf_t *inst, int idx) {
} else if(err == SSL_ERROR_SYSCALL) {
DBGPRINTF("imdtls: SSL_accept failed SSL_ERROR_SYSCALL idx (%d), removing client.\n",
idx);
net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING,
net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING,
"DTLSHandleSessions", "SSL_accept");
DTLScleanupSession(inst, idx);
} else {
// An actual error occurred
DBGPRINTF("imdtls: SSL_accept failed (%d) idx (%d), removing client.\n", err, idx);
net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR,
net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR,
"DTLSHandleSessions", "SSL_accept");
DTLScleanupSession(inst, idx);
}
Expand Down Expand Up @@ -570,7 +570,7 @@ DTLSReadClient(instanceConf_t *inst, int idx, short revents) {
break;
} else if (err == SSL_ERROR_SYSCALL) {
DBGPRINTF("imdtls: SSL_ERROR_SYSCALL on index %d ERRNO %d\n", idx, errno);
net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR,
net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR,
"DTLSReadClient", "SSL_read");
DTLScleanupSession(inst, idx);
break;
Expand Down Expand Up @@ -655,7 +655,7 @@ DTLSHandleSessions(instanceConf_t *inst) {
if (inst->pNetOssl->authMode != OSSL_AUTH_CERTANON) {
dbgprintf("imdtls: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
inst->pNetOssl->authMode, inst->CertVerifyDepth);
net_ossl_set_ssl_verify_callback(ssl,
net_ossl.osslSetSslVerifyCallback(ssl,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
if (inst->CertVerifyDepth != 0) {
SSL_set_verify_depth(ssl, inst->CertVerifyDepth);
Expand All @@ -668,7 +668,7 @@ DTLSHandleSessions(instanceConf_t *inst) {
SSL_set_ex_data(ssl, 2, inst); /* Used in imdtls */

// Debug Callback for conn sbio!
net_ossl_set_bio_callback(sbio);
net_ossl.osslSetBioCallback(sbio);

// Connect the new Client
BIO_ADDR *client_addr = BIO_ADDR_new();
Expand Down Expand Up @@ -711,7 +711,7 @@ DTLSHandleSessions(instanceConf_t *inst) {
if (ret == 0) {
err = SSL_get_error(ssl, ret);
DBGPRINTF("imdtls: DTLSHandleSessions BIO_connect ERROR %d\n", err);
net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING,
net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING,
"DTLSHandleSessions", "BIO_connect");
LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
"imdtls: BIO_connect failed for DTLS client");
Expand Down Expand Up @@ -744,7 +744,7 @@ DTLSHandleSessions(instanceConf_t *inst) {
} else {
DBGPRINTF("imdtls: DTLSv1_listen RET %d (ERR %d / ERRNO %d), abort\n",
ret, err, errno);
net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING,
net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING,
"DTLSHandleSessions", "DTLSv1_listen");
LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
"imdtls: DTLSv1_listen failed for DTLS client");
Expand Down
4 changes: 2 additions & 2 deletions plugins/omdtls/Makefile.am
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
pkglib_LTLIBRARIES = omdtls.la
omdtls_la_DEPENDENCIES = ../../runtime/lmnsd_ossl.la
omdtls_la_DEPENDENCIES =
omdtls_la_SOURCES = omdtls.c
omdtls_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) $(OPENSSL_CFLAGS)
omdtls_la_LDFLAGS = -module -avoid-version
omdtls_la_LIBADD = $(OPENSSL_LIBS) ../../runtime/lmnsd_ossl.la
omdtls_la_LIBADD = $(OPENSSL_LIBS)
20 changes: 11 additions & 9 deletions plugins/omdtls/omdtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ CODESTARTactivateCnfPrePrivDrop
for(inst = runModConf->root ; inst != NULL ; inst = inst->next) {
CHKiRet(net_ossl.osslCtxInit(inst->pNetOssl, DTLS_method()));
// Run openssl config commands in Context
CHKiRet(net_ossl_apply_tlscgfcmd(inst->pNetOssl, inst->tlscfgcmd));
CHKiRet(net_ossl.osslApplyTlscgfcmd(inst->pNetOssl, inst->tlscfgcmd));
}
finalize_it:
ENDactivateCnfPrePrivDrop
Expand Down Expand Up @@ -598,13 +598,13 @@ dtls_send(wrkrInstanceData_t *pWrkrData, const actWrkrIParams_t *__restrict__ co
if (sslerr == SSL_ERROR_SYSCALL) {
dbgprintf("dtls_send[%p]: SSL_write failed with SSL_ERROR_SYSCALL(%s)"
" - Aborting Connection.\n", pWrkrData, strerror(errno));
net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
net_ossl.osslLastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
"omdtls", "SSL_write");
ABORT_FINALIZE(RS_RET_ERR);
} else {
dbgprintf("dtls_send[%p]: SSL_write failed with ERROR [%d]: %s"
" - Aborting Connection.\n", pWrkrData, sslerr, ERR_error_string(sslerr, NULL));
net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
net_ossl.osslLastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
"omdtls", "SSL_write");
ABORT_FINALIZE(RS_RET_ERR);
}
Expand Down Expand Up @@ -639,7 +639,8 @@ dtls_connect(wrkrInstanceData_t *pWrkrData) {
pWrkrData->sslClient = SSL_new(pData->pNetOssl->ctx);
if(!pWrkrData->sslClient) {
dbgprintf("dtls_connect[%p]: SSL_new failed failed\n", pWrkrData);
net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_WARNING, "omdtls", "SSL_new");
net_ossl.osslLastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient,
LOG_WARNING, "omdtls", "SSL_new");
ABORT_FINALIZE(RS_RET_ERR);
}

Expand All @@ -648,33 +649,34 @@ dtls_connect(wrkrInstanceData_t *pWrkrData) {
dbgprintf("dtls_connect[%p]: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
pWrkrData, pData->pNetOssl->authMode, pData->CertVerifyDepth);
/* Enable certificate valid checking */
net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
net_ossl.osslSetSslVerifyCallback(pWrkrData->sslClient,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
if (pData->CertVerifyDepth != 0) {
SSL_set_verify_depth(pWrkrData->sslClient, pData->CertVerifyDepth);
}
} else {
dbgprintf("dtls_connect[%p]: disable certificate checking\n", pWrkrData);
net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_NONE);
net_ossl.osslSetSslVerifyCallback(pWrkrData->sslClient, SSL_VERIFY_NONE);
}

/* Create BIO from socket array! */
bio_client = BIO_new_dgram(pWrkrData->sockout, BIO_NOCLOSE);
if (!bio_client) {
net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_INFO,
net_ossl.osslLastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_INFO,
"dtls_connect", "BIO_new_dgram");
ABORT_FINALIZE(RS_RET_ERR);
}
BIO_ctrl(bio_client, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &pWrkrData->dtls_client_addr);
SSL_set_bio(pWrkrData->sslClient, bio_client, bio_client);

/* Set debug Callback for conn BIO as well! */
net_ossl_set_bio_callback(bio_client);
net_ossl.osslSetBioCallback(bio_client);

dbgprintf("dtls_connect[%p]: Starting DTLS session ...\n", pWrkrData);
/* Perform handshake */
iErr = SSL_connect(pWrkrData->sslClient);
if (iErr <= 0) {
net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_INFO,
net_ossl.osslLastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_INFO,
"dtls_connect", "SSL_connect");
ABORT_FINALIZE(RS_RET_ERR);
}
Expand Down
29 changes: 26 additions & 3 deletions runtime/net_ossl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,20 @@ DEFobjCurrIf(glbl)
DEFobjCurrIf(net)
DEFobjCurrIf(nsd_ptcp)

/* Prototypes for openssl helper functions */
void net_ossl_lastOpenSSLErrorMsg
(uchar *fromHost, int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags);
void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags);
void net_ossl_set_bio_callback(BIO *conn);
int net_ossl_verify_callback(int status, X509_STORE_CTX *store);
rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd);
rsRetVal net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
X509* net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
rsRetVal net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
rsRetVal net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);


/*--------------------------------------MT OpenSSL helpers ------------------------------------------*/
static MUTEX_TYPE *mutex_buf = NULL;
static sbool openssl_initialized = 0; // Avoid multiple initialization / deinitialization
Expand Down Expand Up @@ -1174,9 +1188,18 @@ CODESTARTobjQueryInterface(net_ossl)
if(pIf->ifVersion != net_osslCURR_IF_VERSION) {/* check for current version, increment on each change */
ABORT_FINALIZE(RS_RET_INTERFACE_NOT_SUPPORTED);
}
pIf->Construct = (rsRetVal(*)(net_ossl_t**)) net_osslConstruct;
pIf->Destruct = (rsRetVal(*)(net_ossl_t**)) net_osslDestruct;
pIf->osslCtxInit = net_ossl_osslCtxInit;
pIf->Construct = (rsRetVal(*)(net_ossl_t**)) net_osslConstruct;
pIf->Destruct = (rsRetVal(*)(net_ossl_t**)) net_osslDestruct;
pIf->osslCtxInit = net_ossl_osslCtxInit;
pIf->osslChkpeername = net_ossl_chkpeername;
pIf->osslPeerfingerprint = net_ossl_peerfingerprint;
pIf->osslGetpeercert = net_ossl_getpeercert;
pIf->osslChkpeercertvalidity = net_ossl_chkpeercertvalidity;
pIf->osslApplyTlscgfcmd = net_ossl_apply_tlscgfcmd;
pIf->osslSetBioCallback = net_ossl_set_bio_callback;
pIf->osslSetCtxVerifyCallback = net_ossl_set_ctx_verify_callback;
pIf->osslSetSslVerifyCallback = net_ossl_set_ssl_verify_callback;
pIf->osslLastOpenSSLErrorMsg = net_ossl_lastOpenSSLErrorMsg;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
pIf->osslCtxInitCookie = net_ossl_ctx_init_cookie;
#endif
Expand Down
39 changes: 11 additions & 28 deletions runtime/net_ossl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,17 @@ BEGINinterface(net_ossl) /* name must also be changed in ENDinterface macro! */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
rsRetVal (*osslCtxInitCookie)(net_ossl_t *pThis);
#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
// OpenSSL Helper function exports
rsRetVal (*osslChkpeername)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
rsRetVal (*osslPeerfingerprint)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
X509* (*osslGetpeercert)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
rsRetVal (*osslChkpeercertvalidity)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
rsRetVal (*osslApplyTlscgfcmd)(net_ossl_t *pThis, uchar *tlscfgcmd);
void (*osslSetBioCallback)(BIO *conn);
void (*osslSetCtxVerifyCallback)(SSL_CTX *pCtx, int flags);
void (*osslSetSslVerifyCallback)(SSL *pSsl, int flags);
void (*osslLastOpenSSLErrorMsg)(uchar *fromHost,
const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
ENDinterface(net_ossl)

#define net_osslCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */
Expand Down Expand Up @@ -134,34 +145,6 @@ void osslGlblExit(void);

/*-----------------------------------------------------------------------------*/

/* Prototypes for openssl helper functions */
__attribute__((visibility("default"))) void net_ossl_lastOpenSSLErrorMsg
(uchar *fromHost, const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
__attribute__((visibility("default"))) void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags);
__attribute__((visibility("default"))) void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags);
__attribute__((visibility("default"))) void net_ossl_set_bio_callback(BIO *conn);
__attribute__((visibility("default"))) int net_ossl_verify_callback(int status, X509_STORE_CTX *store);
__attribute__((visibility("default"))) rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd);
__attribute__((visibility("default"))) rsRetVal
net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
__attribute__((visibility("default"))) X509*
net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
__attribute__((visibility("default"))) rsRetVal
net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
__attribute__((visibility("default"))) rsRetVal
net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);

/*
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
long RSYSLOG_BIO_debug_callback_ex(BIO *bio, int cmd, const char __attribute__((unused)) *argp,
size_t __attribute__((unused)) len, int argi, long __attribute__((unused)) argl,
int ret, size_t __attribute__((unused)) *processed);
#else
long RSYSLOG_BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *argp,
int argi, long __attribute__((unused)) argl, long ret);
#endif
*/

/* prototypes */
PROTOTYPEObj(net_ossl);

Expand Down
25 changes: 13 additions & 12 deletions runtime/nsd_ossl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ void nsd_ossl_lastOpenSSLErrorMsg(nsd_ossl_t const *pThis, const int ret, SSL *s
}

// Call helper in net_ossl
net_ossl_lastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi);
net_ossl.osslLastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi);

free(fromHost);
errno = errno_store;
Expand Down Expand Up @@ -278,7 +278,8 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe
dbgprintf("osslInitSession: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
pThis->pNetOssl->authMode, pThis->DrvrVerifyDepth);
/* Enable certificate valid checking */
net_ossl_set_ssl_verify_callback(pThis->pNetOssl->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
net_ossl.osslSetSslVerifyCallback(pThis->pNetOssl->ssl,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
if (pThis->DrvrVerifyDepth != 0) {
SSL_set_verify_depth(pThis->pNetOssl->ssl, pThis->DrvrVerifyDepth);
}
Expand All @@ -305,7 +306,7 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe
dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);

/* Set debug Callback for conn BIO as well! */
net_ossl_set_bio_callback(conn);
net_ossl.osslSetBioCallback(conn);

/* TODO: still needed? Set to NON blocking ! */
BIO_set_nbio( conn, 1 );
Expand Down Expand Up @@ -347,25 +348,25 @@ osslChkPeerAuth(nsd_ossl_t *pThis)
switch(pThis->pNetOssl->authMode) {
case OSSL_AUTH_CERTNAME:
/* if we check the name, we must ensure the cert is valid */
certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
dbgprintf("osslChkPeerAuth: Check peer certname[%p]=%s\n",
(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
CHKiRet(net_ossl_chkpeername(pThis->pNetOssl, certpeer, fromHostIP));
CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
CHKiRet(net_ossl.osslChkpeername(pThis->pNetOssl, certpeer, fromHostIP));
break;
case OSSL_AUTH_CERTFINGERPRINT:
certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
dbgprintf("osslChkPeerAuth: Check peer fingerprint[%p]=%s\n",
(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
CHKiRet(net_ossl_peerfingerprint(pThis->pNetOssl, certpeer, fromHostIP));
CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
CHKiRet(net_ossl.osslPeerfingerprint(pThis->pNetOssl, certpeer, fromHostIP));

break;
case OSSL_AUTH_CERTVALID:
certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
dbgprintf("osslChkPeerAuth: Check peer valid[%p]=%s\n",
(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
break;
case OSSL_AUTH_CERTANON:
FINALIZE;
Expand Down Expand Up @@ -1277,7 +1278,7 @@ applyGnutlsPriorityString(nsd_ossl_t *const pThis)
if(pThis->gnutlsPriorityString == NULL || pThis->pNetOssl->ctx == NULL) {
FINALIZE;
} else {
CHKiRet(net_ossl_apply_tlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString));
CHKiRet(net_ossl.osslApplyTlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString));
}
#endif

Expand Down

0 comments on commit e5739a8

Please sign in to comment.