Skip to content

Commit

Permalink
Merge pull request #100 from ssahani/tls
Browse files Browse the repository at this point in the history 
TLS/DTLS: Improve log message
  • Loading branch information
@ssahani
ssahani authored May 20, 2024
2 parents 1fe78f9 + 1c5f74c commit 85c64f8
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 34 deletions.
22 changes: 11 additions & 11 deletions src/netlog/netlog-dtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ static int dtls_write(DTLSManager *m, const char *buf, size_t count) {
ERR_clear_error();
r = SSL_write(m->ssl, buf, count);
if (r <= 0)
return log_error_errno(r, "Failed to invoke SSL_write: %s", TLS_ERROR_STRING(SSL_get_error(m->ssl, r)));
return log_error_errno(r, "DTLS: Failed to invoke SSL_write: %s", TLS_ERROR_STRING(SSL_get_error(m->ssl, r)));

return log_debug("Successful DTLS SSL_write: %d bytes", r);
return log_debug("DTLS: Successful SSL_write: %d bytes", r);
}

int dtls_datagram_writev(DTLSManager *m, const struct iovec *iov, size_t iovcnt) {
Expand Down Expand Up @@ -90,61 +90,61 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {

fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd < 0)
return log_error_errno(errno, "Failed to allocate socket: %m");;
return log_error_errno(errno, "DTLS: Failed to allocate socket: %m");;

r = sockaddr_pretty(&address->sockaddr.sa, salen, true, true, &pretty);
if (r < 0)
return r;

r = connect(fd, &address->sockaddr.sa, salen);
if (r < 0 && errno != EINPROGRESS)
return log_error_errno(errno, "Failed to connect to remote server='%s': %m", pretty);;
return log_error_errno(errno, "DTLS: Failed to connect to remote server='%s': %m", pretty);;

log_debug("Connected to remote server: '%s'", pretty);

ctx = SSL_CTX_new(DTLS_method());
if (!ctx)
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
"Failed to allocate memory for SSL CTX: %m");
"DTLS: Failed to allocate memory for SSL CTX: %m");

ssl = SSL_new(ctx);
if (!ssl)
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
"Failed to allocate memory for ssl: %s",
"DTLS: Failed to allocate memory for ssl: %s",
ERR_error_string(ERR_get_error(), NULL));

/* Create BIO from socket array! */
bio = BIO_new_dgram(fd, BIO_NOCLOSE);
if (!bio)
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
"Failed to allocate memory for bio: %m");
"DTLS: Failed to allocate memory for bio: %m");

BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &address);
SSL_set_bio(ssl, bio, bio);
m->bio = TAKE_PTR(bio);

/* Cerification verification */
if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE && m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID) {
log_debug("TLS: enable certificate verification");
log_debug("DTLS: enable certificate verification");

SSL_set_ex_data(ssl, 0, m);
SSL_set_ex_data(ssl, 1, address);
SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_certificate_validity);
} else {
log_debug("TLS: disable certificate verification");
log_debug("DTLS: disable certificate verification");
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
}
SSL_CTX_set_default_verify_paths(ctx);

r = SSL_connect(ssl);
if (r <= 0)
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
"Failed to SSL_connect: %s",
"DTLS: Failed to SSL_connect: %s",
ERR_error_string(ERR_get_error(), NULL));

cipher = SSL_get_current_cipher(ssl);

log_debug("SSL: Cipher Version: %s Name: %s", SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher));
log_debug("DTLS: SSL Cipher Version: %s Name: %s", SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher));
if (DEBUG_LOGGING) {
_cleanup_(X509_freep) X509* cert = NULL;

Expand Down
46 changes: 23 additions & 23 deletions src/netlog/netlog-tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,15 +43,15 @@ int ssl_verify_certificate_validity(int s, X509_STORE_CTX *store) {
if (r < 0)
return r;

log_debug("Verifying SSL ceritificates of server: %s", pretty);
log_debug("TLS: Verifying SSL ceritificates of server: %s", pretty);

if (cert) {
subject = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
issuer = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
}

if (verify_mode == SSL_VERIFY_NONE) {
log_debug("SSL Certificate validation DISABLED but Error at depth: %d, issuer=%s, subject=%s: server=%s %s",
log_debug("TLS: SSL Certificate validation DISABLED but Error at depth: %d, issuer=%s, subject=%s: server=%s %s",
depth, (char *) subject, (char *) issuer, pretty, X509_verify_cert_error_string(error));

return 1;
Expand All @@ -64,19 +64,19 @@ int ssl_verify_certificate_validity(int s, X509_STORE_CTX *store) {
switch (m->auth_mode) {
case OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY: {
log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
return 0;
}
break;
case OPEN_SSL_CERTIFICATE_AUTH_MODE_WARN: {
log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
"Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));

return 1;
}
break;
case OPEN_SSL_CERTIFICATE_AUTH_MODE_ALLOW: {
log_debug("Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
log_debug("TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
return 1;
}

Expand All @@ -89,20 +89,20 @@ int ssl_verify_certificate_validity(int s, X509_STORE_CTX *store) {
switch (m->auth_mode) {
case OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY: {
log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
return 0;
}
break;
case OPEN_SSL_CERTIFICATE_AUTH_MODE_WARN: {
log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
"Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));

return 1;
}
break;
case OPEN_SSL_CERTIFICATE_AUTH_MODE_ALLOW: {
log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
"Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
"TLS: Failed to verify certificate server=%s: %s", pretty, X509_verify_cert_error_string(r));
return 1;
}
break;
Expand All @@ -111,12 +111,12 @@ int ssl_verify_certificate_validity(int s, X509_STORE_CTX *store) {
}}
break;
default:
log_error("Failed to validate remote certificate server=%s: %s. Aborting connection ...", pretty, X509_verify_cert_error_string(r));
log_error("TLS: Failed to validate remote certificate server=%s: %s. Aborting connection ...", pretty, X509_verify_cert_error_string(r));
return 0;
}
}

log_debug("SSL ceritificates verified server=%s: %s", pretty, X509_verify_cert_error_string(r));
log_debug("TLS: SSL ceritificates verified server=%s: %s", pretty, X509_verify_cert_error_string(r));

return 1;
}
Expand All @@ -133,9 +133,9 @@ static int tls_write(TLSManager *m, const char *buf, size_t count) {
ERR_clear_error();
r = SSL_write(m->ssl, buf, count);
if (r <= 0)
return log_error_errno(r, "Failed to invoke SSL_write: %s", TLS_ERROR_STRING(SSL_get_error(m->ssl, r)));
return log_error_errno(r, "TLS: Failed to invoke SSL_write: %s", TLS_ERROR_STRING(SSL_get_error(m->ssl, r)));

return log_debug("Successful TLS SSL_write: %d bytes", r);
return log_debug("TLS: Successful TLS SSL_write: %d bytes", r);
}

int tls_stream_writev(TLSManager *m, const struct iovec *iov, size_t iovcnt) {
Expand Down Expand Up @@ -194,32 +194,32 @@ int tls_connect(TLSManager *m, SocketAddress *address) {

fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (fd < 0)
return log_error_errno(errno, "Failed to allocate socket: %m");;
return log_error_errno(errno, "TLS: Failed to allocate socket: %m");;

r = sockaddr_pretty(&address->sockaddr.sa, salen, true, true, &pretty);
if (r < 0)
return r;

r = connect(fd, &address->sockaddr.sa, salen);
if (r < 0 && errno != EINPROGRESS)
return log_error_errno(errno, "Failed to connect to remote server='%s': %m", pretty);;
return log_error_errno(errno, "TLS: Failed to connect to remote server='%s': %m", pretty);;

log_debug("Connected to remote server: '%s'", pretty);
log_debug("TLS: Connected to remote server: '%s'", pretty);

ctx = SSL_CTX_new(SSLv23_client_method());
if (!ctx)
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
"Failed to allocate memory for SSL CTX: %m");
"TLS: Failed to allocate memory for SSL CTX: %m");

ssl = SSL_new(ctx);
if (!ssl)
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
"Failed to allocate memory for ssl: %s",
"TLS: Failed to allocate memory for ssl: %s",
ERR_error_string(ERR_get_error(), NULL));
r = SSL_set_fd(ssl, fd);
if (r <= 0)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to SSL_set_fd: %s",
"TLS: Failed to SSL_set_fd: %s",
ERR_error_string(ERR_get_error(), NULL));
/* Cerification verification */
if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE && m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID) {
Expand All @@ -240,12 +240,12 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
r = SSL_connect(ssl);
if (r <= 0)
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
"Failed to SSL_connect: %s",
"TLS: Failed to SSL_connect: %s",
ERR_error_string(ERR_get_error(), NULL));

cipher = SSL_get_current_cipher(ssl);

log_debug("SSL: Cipher Version: %s Name: %s", SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher));
log_debug("TLS: SSL Cipher Version: %s Name: %s", SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher));
if (DEBUG_LOGGING) {
_cleanup_(X509_freep) X509* cert = NULL;

Expand All @@ -254,12 +254,12 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
_cleanup_(OPENSSL_freep) void *subject = NULL, *issuer = NULL;

subject = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
log_debug("SSL: Subject: %s", (char *) subject);
log_debug("TLS: SSL Subject: %s", (char *) subject);

issuer = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
log_debug("SSL: Issuer: %s", (char *) issuer);
log_debug("TLS: SSL Issuer: %s", (char *) issuer);
} else
log_debug("SSL: No certificates.");
log_debug("TLS: SSL No certificates.");

}

Expand Down

0 comments on commit 85c64f8

Please sign in to comment.