[tls tracing] improve error reporting

(cherry picked from commit 5e3a803577e68fad36acc6944ed04b1bbcc59ec1)
OpenSIPS · Mar 24, 2017 · be8c1d9 · be8c1d9
1 parent 7aae337
commit be8c1d9
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 14 deletions.
diff --git a/modules/tls_mgm/tls_conn.h b/modules/tls_mgm/tls_conn.h
@@ -26,6 +26,35 @@ static void tls_print_errstack(void)
 	}
 }
 
+static int tls_get_errstack( char* result, int size )
+{
+	int len = 0, new, code;
+
+	if ( !result || !size )
+		return 0;
+
+
+	while ((code = ERR_get_error())) {
+		/* in case we overflow the buffer we still need to report the error
+		 * to syslog */
+		if ( len < size ) {
+			new = snprintf( result + len, size - len,
+						"%s\n", ERR_error_string( code, 0) );
+			LM_ERR("TLS errstack: %s\n", result + len);
+		} else {
+			LM_ERR("TLS errstack: %s\n", ERR_error_string(code, 0));
+		}
+
+		if ( new < size ) {
+			len += new;
+		} else {
+			len = size;
+		}
+	}
+
+	return len;
+}
+
 /*
  * Update ssl structure with new fd
  */

diff --git a/modules/tls_mgm/tls_conn_server.h b/modules/tls_mgm/tls_conn_server.h
@@ -20,6 +20,9 @@
 #endif
 #include "../../net/trans_trace.h"
 
+#define TLS_ERR_MAX 256
+static char tls_err_buf[TLS_ERR_MAX];
+
 static inline int trace_tls( struct tcp_connection* conn, SSL* ctx, trans_trace_event event, trans_trace_status status, str* data);
 
 #define TRACE_IS_ON( CONN ) (CONN->proto_data && \
@@ -217,6 +220,8 @@ static int tls_accept(struct tcp_connection *c, short *poll_events)
 	SSL *ssl;
 	X509* cert;
 
+	str tls_err_s;
+
 	if ( (c->proto_flags&F_TLS_DO_ACCEPT)==0 ) {
 		LM_BUG("invalid connection state (bug in TLS code)\n");
 		return -1;
@@ -275,17 +280,14 @@ static int tls_accept(struct tcp_connection *c, short *poll_events)
 		return 0;
 	} else {
 		err = SSL_get_error(ssl, ret);
-		if ( err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE ) {
-			/* report failure */
-			trace_tls( c, ssl, TRANS_TRACE_ACCEPTED,
-					TRANS_TRACE_FAILURE, &ACCEPT_FAIL);
-		}
-
 		switch (err) {
 			case SSL_ERROR_ZERO_RETURN:
 				LM_INFO("TLS connection from %s:%d accept failed cleanly\n",
 					ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
 
+				trace_tls( c, ssl, TRANS_TRACE_ACCEPTED,
+						TRANS_TRACE_FAILURE, &ACCEPT_FAIL);
+
 				c->state = S_CONN_BAD;
 				return -1;
 			case SSL_ERROR_WANT_READ:
@@ -305,7 +307,25 @@ static int tls_accept(struct tcp_connection *c, short *poll_events)
 					LM_ERR("TLS error: (ret=%d, err=%d, errno=%d/%s):\n",
 					       ret, err, errno, strerror(errno));
 				}
-				tls_print_errstack();
+
+				if ( TRACE_IS_ON( c ) ) {
+					if ( ( tls_err_s.len =
+							tls_get_errstack( tls_err_buf, TLS_ERR_MAX ) ) == 0 ) {
+						if ( errno ) {
+							tls_err_s.len = snprintf( tls_err_buf, TLS_ERR_MAX,
+									"TLS error: (ret=%d, err=%d, errno=%d/%s)",
+										ret, err, errno, strerror(errno));
+						} else {
+							tls_err_s.len = snprintf( tls_err_buf, TLS_ERR_MAX,
+									"New TLS connection failed to accept" );
+						}
+					}
+					tls_err_s.s = tls_err_buf;
+					trace_tls( c, ssl, TRANS_TRACE_ACCEPTED,
+							TRANS_TRACE_FAILURE, &tls_err_s);
+				} else {
+					tls_print_errstack();
+				}
 
 				return -1;
 		}
@@ -325,6 +345,8 @@ static int tls_connect(struct tcp_connection *c, short *poll_events)
 	SSL *ssl;
 	X509* cert;
 
+	str tls_err_s;
+
 	if ( (c->proto_flags&F_TLS_DO_CONNECT)==0 ) {
 		LM_BUG("invalid connection state (bug in TLS code)\n");
 		return -1;
@@ -370,17 +392,14 @@ static int tls_connect(struct tcp_connection *c, short *poll_events)
 		return 0;
 	} else {
 		err = SSL_get_error(ssl, ret);
-		if ( err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE ) {
-			/* report failure */
-			trace_tls( c, ssl, TRANS_TRACE_CONNECTED,
-					TRANS_TRACE_FAILURE, &CONNECT_OK);
-		}
-
 		switch (err) {
 			case SSL_ERROR_ZERO_RETURN:
 				LM_INFO("New TLS connection to %s:%d failed cleanly\n",
 					ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
 
+				trace_tls( c, ssl, TRANS_TRACE_CONNECTED,
+						TRANS_TRACE_FAILURE, &CONNECT_FAIL);
+
 				c->state = S_CONN_BAD;
 				return -1;
 			case SSL_ERROR_WANT_READ:
@@ -401,7 +420,19 @@ static int tls_connect(struct tcp_connection *c, short *poll_events)
 				LM_ERR("TLS error: %d (ret=%d) err=%s(%d)\n",
 					err,ret,strerror(errno), errno);
 				c->state = S_CONN_BAD;
-				tls_print_errstack();
+
+				if ( TRACE_IS_ON( c ) ) {
+					if ( ( tls_err_s.len =
+							tls_get_errstack( tls_err_buf, TLS_ERR_MAX ) ) == 0 ) {
+						tls_err_s.len = snprintf( tls_err_buf, TLS_ERR_MAX,
+								"New TLS connection failed to connect" );
+					}
+					tls_err_s.s = tls_err_buf;
+					trace_tls( c, ssl, TRANS_TRACE_CONNECTED,
+							TRANS_TRACE_FAILURE, &tls_err_s);
+				} else {
+					tls_print_errstack();
+				}
 
 				return -1;
 		}