robust deny-check for zero-IDs & suppress notifications in listener

jolavillette · jolavillette · commit 7304bdc82b18 · 2026-02-24T15:02:06.000+01:00
diff --git a/src/pqi/authssl.cc b/src/pqi/authssl.cc
@@ -1354,6 +1354,8 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
 
 		RsInfo() << __PRETTY_FUNCTION__ << " " << errMsg << std::endl;
 
+
+
 		if(rsEvents && !isNotifyDenied(pgpId) && !isStringDenied(pgpId.toStdString()))
 		{
 			ev->mSslCn = sslCn;
@@ -1376,6 +1378,8 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
 
 		RsInfo() << __PRETTY_FUNCTION__ << " " << errMsg << std::endl;
 
+
+
 		if(rsEvents && !isNotifyDenied(pgpId) && !isStringDenied(pgpId.toStdString()))
 		{
 			ev->mSslId = sslId;
@@ -1434,6 +1438,8 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
 
 		RsInfo() << __PRETTY_FUNCTION__ << " " << errMsg << std::endl;
 
+
+
 		if(rsEvents && !isNotifyDenied(pgpId))
 		{
 			ev->mSslId = sslId;
@@ -1475,6 +1481,8 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
 
 		Dbg1() << __PRETTY_FUNCTION__ << " " << errMsg << std::endl;
 
+
+
 		if(rsEvents && !isNotifyDenied(pgpId))
 		{
 			ev->mSslId = sslId;
@@ -1943,6 +1951,17 @@ bool AuthSSLimpl::loadList(std::list<RsItem*>& load)
         return true;
 }
 
+
+
+const EVP_PKEY*RsX509Cert::getPubKey(const X509& x509)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	return x509.cert_info->key->pkey;
+#else
+	return X509_get0_pubkey(&x509);
+#endif
+}
+
 void AuthSSLimpl::addNotifyDeny(const RsPgpId& pgpId, const std::string& name)
 {
 	RsStackMutex stack(sslMtx);
@@ -1960,20 +1979,19 @@ void AuthSSLimpl::removeNotifyDeny(const RsPgpId& pgpId)
 bool AuthSSLimpl::isNotifyDenied(const RsPgpId& pgpId)
 {
 	RsStackMutex stack(sslMtx);
-	return mDenyList.find(pgpId) != mDenyList.end();
+	if(mDenyList.find(pgpId) != mDenyList.end()) return true;
+
+    if(pgpId.isNull()) {
+        std::string s = pgpId.toStdString();
+        for(const auto& pair : mDenyList) {
+            if(pair.first.toStdString() == s) return true;
+        }
+    }
+	return false;
 }
 
 void AuthSSLimpl::getNotifyDenyList(std::map<RsPgpId, std::string>& ids)
 {
 	RsStackMutex stack(sslMtx);
 	ids = mDenyList;
 }
-
-const EVP_PKEY*RsX509Cert::getPubKey(const X509& x509)
-{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-	return x509.cert_info->key->pkey;
-#else
-	return X509_get0_pubkey(&x509);
-#endif
-}
diff --git a/src/pqi/pqissllistener.cc b/src/pqi/pqissllistener.cc
@@ -493,10 +493,33 @@ int	pqissllistenbase::continueSSL(IncomingSSLInfo& incoming_connexion_info, bool
 
 		if(vres == X509_V_OK && nullptr != rsEvents)
 		{
-			auto ev = std::make_shared<RsAuthSslConnectionAutenticationEvent>();
-			ev->mLocator = RsUrl(incoming_connexion_info.addr);
-			ev->mErrorCode = RsAuthSslError::MISSING_AUTHENTICATION_INFO;
-			rsEvents->postEvent(ev);
+            // Check if denied before posting event
+            bool denied = false;
+            X509 *x509_check = SSL_get_peer_certificate(incoming_connexion_info.ssl);
+            RsPgpId checkedPgpId; // Default 0
+            if(x509_check) {
+                checkedPgpId = RsX509Cert::getCertIssuer(*x509_check);
+                X509_free(x509_check);
+            }
+            
+            if(AuthSSL::instance().isNotifyDenied(checkedPgpId)) {
+                    denied = true;
+                }
+
+            if(!denied) {
+			    auto ev = std::make_shared<RsAuthSslConnectionAutenticationEvent>();
+			    ev->mLocator = RsUrl(incoming_connexion_info.addr);
+                // Try to fill in more info if available
+                if((x509_check = SSL_get_peer_certificate(incoming_connexion_info.ssl))) {
+                     ev->mPgpId = RsX509Cert::getCertIssuer(*x509_check);
+                     ev->mSslId = RsX509Cert::getCertSslId(*x509_check);
+                     ev->mSslCn = RsX509Cert::getCertName(*x509_check);
+                     X509_free(x509_check);
+                }
+
+			    ev->mErrorCode = RsAuthSslError::MISSING_AUTHENTICATION_INFO;
+			    rsEvents->postEvent(ev);
+            }
 		}
 		closeConnection(fd, incoming_connexion_info.ssl);
 
