mirror of
https://github.com/asterisk/asterisk.git
synced 2025-10-05 12:42:49 +00:00
tcptls: Improve error messages for TLS connections.
This change uses the functions provided by OpenSSL to query and better construct error messages for situations where the connection encounters a problem. ASTERISK-26606 Change-Id: I7ae40ce88c0dc4e185c4df1ceb3a6ccc198f075b
This commit is contained in:
Joshua Colp
@@ -83,6 +83,39 @@ struct ast_tcptls_stream {
|
|||||||
int exclusive_input;
|
int exclusive_input;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#if defined(DO_SSL)
|
||||||
|
AST_THREADSTORAGE(err2str_threadbuf);
|
||||||
|
#define ERR2STR_BUFSIZE 128
|
||||||
|
|
||||||
|
static const char *ssl_error_to_string(int sslerr, int ret)
|
||||||
|
{
|
||||||
|
switch (sslerr) {
|
||||||
|
case SSL_ERROR_SSL:
|
||||||
|
return "Internal SSL error";
|
||||||
|
case SSL_ERROR_SYSCALL:
|
||||||
|
if (!ret) {
|
||||||
|
return "System call EOF";
|
||||||
|
} else if (ret == -1) {
|
||||||
|
char *buf;
|
||||||
|
|
||||||
|
buf = ast_threadstorage_get(&err2str_threadbuf, ERR2STR_BUFSIZE);
|
||||||
|
if (!buf) {
|
||||||
|
return "Unknown";
|
||||||
|
}
|
||||||
|
|
||||||
|
snprintf(buf, ERR2STR_BUFSIZE, "Underlying BIO error: %s", strerror(errno));
|
||||||
|
return buf;
|
||||||
|
} else {
|
||||||
|
return "System call other";
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return "Unknown";
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
void ast_tcptls_stream_set_timeout_disable(struct ast_tcptls_stream *stream)
|
void ast_tcptls_stream_set_timeout_disable(struct ast_tcptls_stream *stream)
|
||||||
{
|
{
|
||||||
ast_assert(stream != NULL);
|
ast_assert(stream != NULL);
|
||||||
@@ -151,12 +184,17 @@ static HOOK_T tcptls_stream_read(void *cookie, char *buf, LEN_T size)
|
|||||||
#if defined(DO_SSL)
|
#if defined(DO_SSL)
|
||||||
if (stream->ssl) {
|
if (stream->ssl) {
|
||||||
for (;;) {
|
for (;;) {
|
||||||
|
int sslerr;
|
||||||
|
char err[256];
|
||||||
|
|
||||||
res = SSL_read(stream->ssl, buf, size);
|
res = SSL_read(stream->ssl, buf, size);
|
||||||
if (0 < res) {
|
if (0 < res) {
|
||||||
/* We read some payload data. */
|
/* We read some payload data. */
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
switch (SSL_get_error(stream->ssl, res)) {
|
|
||||||
|
sslerr = SSL_get_error(stream->ssl, res);
|
||||||
|
switch (sslerr) {
|
||||||
case SSL_ERROR_ZERO_RETURN:
|
case SSL_ERROR_ZERO_RETURN:
|
||||||
/* Report EOF for a shutdown */
|
/* Report EOF for a shutdown */
|
||||||
ast_debug(1, "TLS clean shutdown alert reading data\n");
|
ast_debug(1, "TLS clean shutdown alert reading data\n");
|
||||||
@@ -204,7 +242,8 @@ static HOOK_T tcptls_stream_read(void *cookie, char *buf, LEN_T size)
|
|||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
/* Report EOF for an undecoded SSL or transport error. */
|
/* Report EOF for an undecoded SSL or transport error. */
|
||||||
ast_debug(1, "TLS transport or SSL error reading data\n");
|
ast_debug(1, "TLS transport or SSL error reading data: %s, %s\n", ERR_error_string(sslerr, err),
|
||||||
|
ssl_error_to_string(sslerr, res));
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (!ms) {
|
if (!ms) {
|
||||||
@@ -279,6 +318,9 @@ static HOOK_T tcptls_stream_write(void *cookie, const char *buf, LEN_T size)
|
|||||||
written = 0;
|
written = 0;
|
||||||
remaining = size;
|
remaining = size;
|
||||||
for (;;) {
|
for (;;) {
|
||||||
|
int sslerr;
|
||||||
|
char err[256];
|
||||||
|
|
||||||
res = SSL_write(stream->ssl, buf + written, remaining);
|
res = SSL_write(stream->ssl, buf + written, remaining);
|
||||||
if (res == remaining) {
|
if (res == remaining) {
|
||||||
/* Everything was written. */
|
/* Everything was written. */
|
||||||
@@ -290,7 +332,8 @@ static HOOK_T tcptls_stream_write(void *cookie, const char *buf, LEN_T size)
|
|||||||
remaining -= res;
|
remaining -= res;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
switch (SSL_get_error(stream->ssl, res)) {
|
sslerr = SSL_get_error(stream->ssl, res);
|
||||||
|
switch (sslerr) {
|
||||||
case SSL_ERROR_ZERO_RETURN:
|
case SSL_ERROR_ZERO_RETURN:
|
||||||
ast_debug(1, "TLS clean shutdown alert writing data\n");
|
ast_debug(1, "TLS clean shutdown alert writing data\n");
|
||||||
if (written) {
|
if (written) {
|
||||||
@@ -319,7 +362,8 @@ static HOOK_T tcptls_stream_write(void *cookie, const char *buf, LEN_T size)
|
|||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
/* Undecoded SSL or transport error. */
|
/* Undecoded SSL or transport error. */
|
||||||
ast_debug(1, "TLS transport or SSL error writing data\n");
|
ast_debug(1, "TLS transport or SSL error writing data: %s, %s\n", ERR_error_string(sslerr, err),
|
||||||
|
ssl_error_to_string(sslerr, res));
|
||||||
if (written) {
|
if (written) {
|
||||||
/* Report partial write. */
|
/* Report partial write. */
|
||||||
return written;
|
return written;
|
||||||
@@ -396,8 +440,11 @@ static int tcptls_stream_close(void *cookie)
|
|||||||
*/
|
*/
|
||||||
res = SSL_shutdown(stream->ssl);
|
res = SSL_shutdown(stream->ssl);
|
||||||
if (res < 0) {
|
if (res < 0) {
|
||||||
ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n",
|
int sslerr = SSL_get_error(stream->ssl, res);
|
||||||
SSL_get_error(stream->ssl, res));
|
char err[256];
|
||||||
|
|
||||||
|
ast_log(LOG_ERROR, "SSL_shutdown() failed: %s, %s\n",
|
||||||
|
ERR_error_string(sslerr, err), ssl_error_to_string(sslerr, res));
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
|
#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
@@ -589,6 +636,7 @@ static int check_tcptls_cert_name(ASN1_STRING *cert_str, const char *hostname, c
|
|||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*! \brief
|
/*! \brief
|
||||||
@@ -604,7 +652,6 @@ static void *handle_tcptls_connection(void *data)
|
|||||||
#ifdef DO_SSL
|
#ifdef DO_SSL
|
||||||
int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
|
int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
|
||||||
int ret;
|
int ret;
|
||||||
char err[256];
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* TCP/TLS connections are associated with external protocols, and
|
/* TCP/TLS connections are associated with external protocols, and
|
||||||
@@ -642,7 +689,11 @@ static void *handle_tcptls_connection(void *data)
|
|||||||
else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
|
else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
|
||||||
SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
|
SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
|
||||||
if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
|
if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
|
||||||
ast_log(LOG_ERROR, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
|
char err[256];
|
||||||
|
int sslerr = SSL_get_error(tcptls_session->ssl, ret);
|
||||||
|
|
||||||
|
ast_log(LOG_ERROR, "Problem setting up ssl connection: %s, %s\n", ERR_error_string(sslerr, err),
|
||||||
|
ssl_error_to_string(sslerr, ret));
|
||||||
} else if ((tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie,
|
} else if ((tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie,
|
||||||
tcptls_session->ssl, tcptls_session->fd, -1))) {
|
tcptls_session->ssl, tcptls_session->fd, -1))) {
|
||||||
if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
|
if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
|
||||||
|
|||||||
Reference in New Issue
Block a user