Add logging to the Pi-hole diagnosis system when we detect a certificate domain mismatch
Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
parent
651bb7f065
commit
6498e6bf93
|
@ -54,6 +54,8 @@ static const char *get_message_type_str(const enum message_type type)
|
|||
return "LIST";
|
||||
case DISK_MESSAGE_EXTENDED:
|
||||
return "DISK_EXTENDED";
|
||||
case CERTIFICATE_DOMAIN_MISMATCH_MESSAGE:
|
||||
return "CERTIFICATE_DOMAIN_MISMATCH";
|
||||
case MAX_MESSAGE:
|
||||
default:
|
||||
return "UNKNOWN";
|
||||
|
@ -84,6 +86,8 @@ static enum message_type get_message_type_from_string(const char *typestr)
|
|||
return INACCESSIBLE_ADLIST_MESSAGE;
|
||||
else if (strcmp(typestr, "DISK_EXTENDED") == 0)
|
||||
return DISK_MESSAGE_EXTENDED;
|
||||
else if (strcmp(typestr, "CERTIFICATE_DOMAIN_MISMATCH") == 0)
|
||||
return CERTIFICATE_DOMAIN_MISMATCH_MESSAGE;
|
||||
else
|
||||
return MAX_MESSAGE;
|
||||
}
|
||||
|
@ -653,6 +657,28 @@ static void format_inaccessible_adlist_message(char *plain, const int sizeof_pla
|
|||
free(escaped_address);
|
||||
}
|
||||
|
||||
static void format_certificate_domain_mismatch(char *plain, const int sizeof_plain, char *html, const int sizeof_html,
|
||||
const char *certfile, const char*domain)
|
||||
{
|
||||
if(snprintf(plain, sizeof_plain, "SSL/TLS certificate %s does not match domain %s!", certfile, domain) > sizeof_plain)
|
||||
log_warn("format_certificate_domain_mismatch(): Buffer too small to hold plain message, warning truncated");
|
||||
|
||||
// Return early if HTML text is not required
|
||||
if(sizeof_html < 1 || html == NULL)
|
||||
return;
|
||||
|
||||
char *escaped_certfile = escape_html(certfile);
|
||||
char *escaped_domain = escape_html(domain);
|
||||
|
||||
if(snprintf(html, sizeof_html, "SSL/TLS certificate %s does not match domain <strong>%s</strong>!", escaped_certfile, escaped_domain) > sizeof_html)
|
||||
log_warn("format_certificate_domain_mismatch(): Buffer too small to hold HTML message, warning truncated");
|
||||
|
||||
if(escaped_certfile != NULL)
|
||||
free(escaped_certfile);
|
||||
if(escaped_domain != NULL)
|
||||
free(escaped_domain);
|
||||
}
|
||||
|
||||
int count_messages(const bool filter_dnsmasq_warnings)
|
||||
{
|
||||
int count = 0;
|
||||
|
@ -876,6 +902,17 @@ bool format_messages(cJSON *array)
|
|||
|
||||
break;
|
||||
}
|
||||
|
||||
case CERTIFICATE_DOMAIN_MISMATCH_MESSAGE:
|
||||
{
|
||||
const char *certfile = (const char*)sqlite3_column_text(stmt, 3);
|
||||
const char *domain = (const char*)sqlite3_column_text(stmt, 4);
|
||||
|
||||
format_certificate_domain_mismatch(plain, sizeof(plain), html, sizeof(html),
|
||||
certfile, domain);
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
// Add the plain message
|
||||
|
@ -1095,3 +1132,19 @@ void logg_inaccessible_adlist(const int dbindex, const char *address)
|
|||
if(rowid == -1)
|
||||
log_err("logg_inaccessible_adlist(): Failed to add message to database");
|
||||
}
|
||||
|
||||
void log_certificate_domain_mismatch(const char *certfile, const char *domain)
|
||||
{
|
||||
// Create message
|
||||
char buf[2048];
|
||||
format_certificate_domain_mismatch(buf, sizeof(buf), NULL, 0, certfile, domain);
|
||||
|
||||
// Log to FTL.log
|
||||
log_warn("%s", buf);
|
||||
|
||||
// Log to database
|
||||
const int rowid = add_message(CERTIFICATE_DOMAIN_MISMATCH_MESSAGE, certfile, 1, domain);
|
||||
|
||||
if(rowid == -1)
|
||||
log_err("log_certificate_domain_mismatch(): Failed to add message to database");
|
||||
}
|
||||
|
|
|
@ -28,5 +28,6 @@ void logg_rate_limit_message(const char *clientIP, const unsigned int rate_limit
|
|||
void logg_warn_dnsmasq_message(char *message);
|
||||
void log_resource_shortage(const double load, const int nprocs, const int shmem, const int disk, const char *path, const char *msg);
|
||||
void logg_inaccessible_adlist(const int dbindex, const char *address);
|
||||
void log_certificate_domain_mismatch(const char *certfile, const char *domain);
|
||||
|
||||
#endif //MESSAGETABLE_H
|
||||
|
|
|
@ -270,6 +270,7 @@ enum message_type {
|
|||
DISK_MESSAGE,
|
||||
INACCESSIBLE_ADLIST_MESSAGE,
|
||||
DISK_MESSAGE_EXTENDED,
|
||||
CERTIFICATE_DOMAIN_MISMATCH_MESSAGE,
|
||||
MAX_MESSAGE,
|
||||
} __attribute__ ((packed));
|
||||
|
||||
|
|
|
@ -8,24 +8,26 @@
|
|||
* This file is copyright under the latest version of the EUPL.
|
||||
* Please see LICENSE file for your rights under this license. */
|
||||
|
||||
#include "../FTL.h"
|
||||
#include "webserver.h"
|
||||
#include "FTL.h"
|
||||
#include "webserver/webserver.h"
|
||||
// api_handler()
|
||||
#include "../api/api.h"
|
||||
#include "api/api.h"
|
||||
// send_http()
|
||||
#include "http-common.h"
|
||||
// struct config
|
||||
#include "../config/config.h"
|
||||
#include "config/config.h"
|
||||
// log_web()
|
||||
#include "../log.h"
|
||||
#include "log.h"
|
||||
// get_nprocs()
|
||||
#include <sys/sysinfo.h>
|
||||
// file_readable()
|
||||
#include "../files.h"
|
||||
#include "files.h"
|
||||
// generate_certificate()
|
||||
#include "x509.h"
|
||||
#include "webserver/x509.h"
|
||||
// allocate_lua(), free_lua(), init_lua(), request_handler()
|
||||
#include "lua_web.h"
|
||||
#include "webserver/lua_web.h"
|
||||
// log_certificate_domain_mismatch()
|
||||
#include "database/message-table.h"
|
||||
|
||||
// Server context handle
|
||||
static struct mg_context *ctx = NULL;
|
||||
|
@ -341,6 +343,10 @@ void http_init(void)
|
|||
|
||||
if(file_readable(config.webserver.tls.cert.v.s))
|
||||
{
|
||||
if(read_certificate(config.webserver.tls.cert.v.s, config.webserver.domain.v.s, false) != CERT_DOMAIN_MATCH)
|
||||
{
|
||||
log_certificate_domain_mismatch(config.webserver.tls.cert.v.s, config.webserver.domain.v.s);
|
||||
}
|
||||
options[++next_option] = "ssl_certificate";
|
||||
options[++next_option] = config.webserver.tls.cert.v.s;
|
||||
|
||||
|
|
Loading…
Reference in New Issue