Browse code

tls: try to print sni on tls error

Daniel-Constantin Mierla authored on 21/11/2021 18:21:01
Showing 2 changed files
... ...
@@ -285,7 +285,7 @@ static int tls_complete_init(struct tcp_connection* c)
285 285
 	data->state = state;
286 286
 
287 287
 	if (unlikely(data->ssl == 0 || data->rwbio == 0)) {
288
-		TLS_ERR("Failed to create SSL or BIO structure:");
288
+		TLS_ERR_SSL("Failed to create SSL or BIO structure:", data->ssl);
289 289
 		if (data->ssl)
290 290
 			SSL_free(data->ssl);
291 291
 		if (data->rwbio)
... ...
@@ -446,7 +446,7 @@ EVP_PKEY * tls_lookup_private_key(SSL_CTX*);
446 446
 int tls_accept(struct tcp_connection *c, int* error)
447 447
 {
448 448
 	int ret;
449
-	SSL *ssl;
449
+	SSL *ssl = NULL;
450 450
 	X509* cert;
451 451
 	struct tls_extra_data* tls_c;
452 452
 	int tls_log;
... ...
@@ -792,7 +792,7 @@ int tls_h_encode_f(struct tcp_connection *c,
792 792
 						snd_flags_t* send_flags)
793 793
 {
794 794
 	int n, offs;
795
-	SSL* ssl;
795
+	SSL* ssl = NULL;
796 796
 	struct tls_extra_data* tls_c;
797 797
 	static unsigned char wr_buf[TLS_WR_MBUF_SZ];
798 798
 	struct tls_mbuf rd, wr;
... ...
@@ -929,7 +929,7 @@ redo_wr:
929 929
 			case SSL_ERROR_SSL:
930 930
 				/* protocol level error */
931 931
 				ERR("protocol level error\n");
932
-				TLS_ERR(err_src);
932
+				TLS_ERR_SSL(err_src, ssl);
933 933
 				memset(ip_buf, 0, sizeof(buf));
934 934
 				ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
935 935
 				ERR("source IP: %s\n", ip_buf);
... ...
@@ -970,7 +970,7 @@ redo_wr:
970 970
 				}
971 971
 				goto error;
972 972
 			default:
973
-				TLS_ERR(err_src);
973
+				TLS_ERR_SSL(err_src, ssl);
974 974
 				BUG("unexpected SSL error %d\n", ssl_error);
975 975
 				goto bug;
976 976
 		}
... ...
@@ -1053,6 +1053,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
1053 1053
 	int x;
1054 1054
 	int tls_dbg;
1055 1055
 
1056
+	ssl = NULL;
1056 1057
 	TLS_RD_TRACE("(%p, %p (%d)) start (%s -> %s:%d*)\n",
1057 1058
 					c, flags, *flags,
1058 1059
 					su2a(&c->rcv.src_su, sizeof(c->rcv.src_su)),
... ...
@@ -1327,7 +1328,7 @@ ssl_read_skipped:
1327 1328
 		case SSL_ERROR_SSL:
1328 1329
 			/* protocol level error */
1329 1330
 			ERR("protocol level error\n");
1330
-			TLS_ERR(err_src);
1331
+			TLS_ERR_SSL(err_src, ssl);
1331 1332
 			memset(ip_buf, 0, sizeof(ip_buf));
1332 1333
 			ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
1333 1334
 			ERR("src addr: %s:%d\n", ip_buf, c->rcv.src_port);
... ...
@@ -1368,7 +1369,7 @@ ssl_read_skipped:
1368 1369
 			}
1369 1370
 			goto error;
1370 1371
 		default:
1371
-			TLS_ERR(err_src);
1372
+			TLS_ERR_SSL(err_src, ssl);
1372 1373
 			BUG("unexpected SSL error %d\n", ssl_error);
1373 1374
 			goto bug;
1374 1375
 	}
... ...
@@ -26,20 +26,29 @@
26 26
 #ifndef _TLS_UTIL_H
27 27
 #define _TLS_UTIL_H
28 28
 
29
+#include <openssl/ssl.h>
29 30
 #include <openssl/err.h>
30 31
 #include "../../core/dprint.h"
31 32
 #include "../../core/str.h"
32 33
 #include "tls_domain.h"
33 34
 
34
-static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
35
+static inline int tls_err_ret(char *s, SSL* ssl,
36
+		tls_domains_cfg_t **tls_domains_cfg)
37
+{
35 38
 	long err;
36 39
 	int ret = 0;
40
+	const char *sn = NULL;
41
+
37 42
 	if ((*tls_domains_cfg)->srv_default->ctx &&
38 43
 		(*tls_domains_cfg)->srv_default->ctx[0])
39 44
 	{
45
+		if(ssl) {
46
+			sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
47
+		}
40 48
 		while((err = ERR_get_error())) {
41 49
 			ret = 1;
42
-			ERR("%s%s\n", s ? s : "", ERR_error_string(err, 0));
50
+			ERR("%s%s (sni: %s)\n", s ? s : "", ERR_error_string(err, 0),
51
+					(sn) ? sn : "unknown");
43 52
 		}
44 53
 	}
45 54
 	return ret;
... ...
@@ -47,15 +56,19 @@ static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
47 56
 
48 57
 #define TLS_ERR_RET(r, s) \
49 58
 do { \
50
-	(r) = tls_err_ret((s), tls_domains_cfg); \
59
+	(r) = tls_err_ret((s), NULL, tls_domains_cfg); \
51 60
 } while(0)
52 61
 
53 62
 
54 63
 #define TLS_ERR(s) \
55 64
 do { \
56
-	tls_err_ret((s), tls_domains_cfg); \
65
+	tls_err_ret((s), NULL, tls_domains_cfg); \
57 66
 } while(0)
58 67
 
68
+#define TLS_ERR_SSL(s, ssl) \
69
+do { \
70
+	tls_err_ret((s), (ssl), tls_domains_cfg); \
71
+} while(0)
59 72
 
60 73
 /*
61 74
  * Make a shared memory copy of ASCII zero terminated string