From 822a791dfc9fc55bf478ea486f572798da5adba1 Mon Sep 17 00:00:00 2001
From: Fabian Mauchle <fabian.mauchle@switch.ch>
Date: Fri, 8 Jan 2021 14:05:24 +0100
Subject: [PATCH] use openssl functions to log full subject instead

---
 tls.c       | 40 +++++-----------------------------------
 tlscommon.c | 24 ++++++++++++++++++++++++
 tlscommon.h |  1 +
 3 files changed, 30 insertions(+), 35 deletions(-)

diff --git a/tls.c b/tls.c
index 55d365b..8adc157 100644
--- a/tls.c
+++ b/tls.c
@@ -480,36 +480,6 @@ void tlsserverrd(struct client *client) {
     debug(DBG_DBG, "tlsserverrd: reader for %s exiting", addr2string(client->addr, tmp, sizeof(tmp)));
 }
 
-/* Returns the CN from the certificate subject as a malloc'ed char array
- * Doesn't support non ASCII characters!
- * BEWARE char* needs to be free() after use! 
- * based on the code from cnregexp() at tlscommon.c
- * by pribeiro@net.ipl.pt DSIC/IPL */
-static char *malloced_cnfromcert(X509 *cert) {
-    int loc, l;
-    char *v;
-    X509_NAME *nm;
-    X509_NAME_ENTRY *e;
-    ASN1_STRING *t;
-
-    nm = X509_get_subject_name(cert);
-    loc = -1;
-    for (;;) {
-        loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
-        if (loc == -1)
-            break;
-        e = X509_NAME_get_entry(nm, loc);
-        t = X509_NAME_ENTRY_get_data(e);
-        v = (char *) ASN1_STRING_get0_data(t);
-        l = ASN1_STRING_length(t);
-        if (l < 0)
-            continue;
-        return stringcopy((char *)v, l);
-    }
-    /* not found */
-    return NULL;
-}
-
 void *tlsservernew(void *arg) {
     int s, origflags;
     struct sockaddr_storage from;
@@ -568,11 +538,11 @@ void *tlsservernew(void *arg) {
 
     while (conf) {
         if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
-            char *cn = malloced_cnfromcert(cert);
-            if(cn) {
-                debug(DBG_WARN, "tlsservernew: from %s, host %s, cert CN %s",
-                    addr2string((struct sockaddr *)&from,tmp, sizeof(tmp)), conf->name, cn);
-                free(cn);
+            char *subj = getcertsubject(cert);
+            if(subj) {
+                debug(DBG_WARN, "tlsservernew: TLS connection from %s, client %s, subject %s up",
+                    addr2string((struct sockaddr *)&from,tmp, sizeof(tmp)), conf->name, subj);
+                free(subj);
             }
             X509_free(cert);
             client = addclient(conf, 1);
diff --git a/tlscommon.c b/tlscommon.c
index 48c8db4..5ea753f 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -765,6 +765,30 @@ int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
     return ok;
 }
 
+char *getcertsubject(X509 *cert) {
+    BIO *bio;
+    char *subject;
+
+    bio = BIO_new(BIO_s_mem());
+    if (!bio) {
+        debug(DBG_ERR, "getcertsubject: BIO_new failed");
+        return NULL;
+    }
+
+    X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, XN_FLAG_ONELINE);
+
+    subject = malloc(BIO_number_written(bio)+1);
+    if (subject) {
+        BIO_read(bio, subject, BIO_number_written(bio));
+        subject[BIO_number_written(bio)] = '\0';
+    } else {
+        debug(DBG_ERR, "getcertsubject: malloc failed");
+    }
+    BIO_free(bio);
+
+    return subject;
+}
+
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
 static int parse_tls_version(const char* version) {
     if (!strcasecmp("SSL3", version)) {
diff --git a/tlscommon.h b/tlscommon.h
index c376675..6be9079 100644
--- a/tlscommon.h
+++ b/tlscommon.h
@@ -41,6 +41,7 @@ struct tls *tlsgettls(char *alt1, char *alt2);
 SSL_CTX *tlsgetctx(uint8_t type, struct tls *t);
 X509 *verifytlscert(SSL *ssl);
 int verifyconfcert(X509 *cert, struct clsrvconf *conf);
+char *getcertsubject(X509 *cert);
 int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val);
 int addmatchcertattr(struct clsrvconf *conf, const char *match);
 void freematchcertattr(struct clsrvconf *conf);