[Asterisk-code-review] pjproject_bundled: Add peer information to most SSL/TLS errors (...asterisk[13])

George Joseph asteriskteam at digium.com
Mon Jul 1 10:19:17 CDT 2019


George Joseph has submitted this change and it was merged. ( https://gerrit.asterisk.org/c/asterisk/+/11495 )

Change subject: pjproject_bundled:  Add peer information to most SSL/TLS errors
......................................................................

pjproject_bundled:  Add peer information to most SSL/TLS errors

Most SSL/TLS error messages coming from pjproject now have either
the peer address:port or peer hostname, depending on what was
available at the time and code location where the error was
generated.

ASTERISK-28444
Reported by: Bernhard Schmidt

Change-Id: I41770e8a1ea5e96f6e16b236692c4269ce1ba91e
---
A third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch
1 file changed, 157 insertions(+), 0 deletions(-)

Approvals:
  Kevin Harwell: Looks good to me, but someone else must approve
  Joshua Colp: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved; Approved for Submit



diff --git a/third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch b/third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch
new file mode 100644
index 0000000..53bde48
--- /dev/null
+++ b/third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch
@@ -0,0 +1,157 @@
+From 85b28c475b5dfd3b01dafffd1d0b3dbb6f087829 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph at digium.com>
+Date: Thu, 27 Jun 2019 11:19:47 -0600
+Subject: [PATCH] ssl_sock_ossl/sip_transport_tls:  Add peer to error messages
+
+Added peer address:port to error messages in ssl_sock_ossl.
+Added peer hostname to error messages in sip_transport_tls.
+---
+ pjlib/src/pj/ssl_sock_ossl.c        | 22 +++++++++++++---------
+ pjsip/src/pjsip/sip_transport_tls.c | 17 +++++++++--------
+ 2 files changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
+index b4ac5c15f..42db8fdbe 100644
+--- a/pjlib/src/pj/ssl_sock_ossl.c
++++ b/pjlib/src/pj/ssl_sock_ossl.c
+@@ -210,15 +210,19 @@ static char *SSLErrorString (int err)
+     }
+ }
+ 
+-#define ERROR_LOG(msg, err) \
+-    PJ_LOG(2,("SSL", "%s (%s): Level: %d err: <%lu> <%s-%s-%s> len: %d", \
++#define ERROR_LOG(msg, err, ssock) \
++{ \
++    char buf[PJ_INET6_ADDRSTRLEN+10]; \
++    PJ_LOG(2,("SSL", "%s (%s): Level: %d err: <%lu> <%s-%s-%s> len: %d peer: %s", \
+ 	      msg, action, level, err, \
+ 	      (ERR_lib_error_string(err)? ERR_lib_error_string(err): "???"), \
+ 	      (ERR_func_error_string(err)? ERR_func_error_string(err):"???"),\
+ 	      (ERR_reason_error_string(err)? \
+-	       ERR_reason_error_string(err): "???"), len));
++	       ERR_reason_error_string(err): "???"), len, \
++	       pj_sockaddr_print(&ssock->rem_addr, buf, sizeof(buf), 3))); \
++}
+ 
+-static void SSLLogErrors(char * action, int ret, int ssl_err, int len)
++static void SSLLogErrors(char * action, int ret, int ssl_err, int len, pj_ssl_sock_t *ssock)
+ {
+     char *ssl_err_str = SSLErrorString(ssl_err);
+ 
+@@ -233,7 +237,7 @@ static void SSLLogErrors(char * action, int ret, int ssl_err, int len)
+ 	if (err2) {
+ 	    int level = 0;
+ 	    while (err2) {
+-	        ERROR_LOG("SSL_ERROR_SYSCALL", err2);
++	        ERROR_LOG("SSL_ERROR_SYSCALL", err2, ssock);
+ 		level++;
+ 		err2 = ERR_get_error();
+ 	    }
+@@ -264,7 +268,7 @@ static void SSLLogErrors(char * action, int ret, int ssl_err, int len)
+ 	int level = 0;
+ 
+ 	while (err2) {
+-	    ERROR_LOG("SSL_ERROR_SSL", err2);
++	    ERROR_LOG("SSL_ERROR_SSL", err2, ssock);
+ 	    level++;
+ 	    err2 = ERR_get_error();
+ 	}
+@@ -302,13 +306,13 @@ static pj_status_t STATUS_FROM_SSL_ERR(char *action, pj_ssl_sock_t *ssock,
+     int level = 0;
+     int len = 0; //dummy
+ 
+-    ERROR_LOG("STATUS_FROM_SSL_ERR", err);
++    ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);
+     level++;
+ 
+     /* General SSL error, dig more from OpenSSL error queue */
+     if (err == SSL_ERROR_SSL) {
+ 	err = ERR_get_error();
+-	ERROR_LOG("STATUS_FROM_SSL_ERR", err);
++	ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);
+     }
+ 
+     ssock->last_err = err;
+@@ -326,7 +330,7 @@ static pj_status_t STATUS_FROM_SSL_ERR2(char *action, pj_ssl_sock_t *ssock,
+     }
+ 
+     /* Dig for more from OpenSSL error queue */
+-    SSLLogErrors(action, ret, err, len);
++    SSLLogErrors(action, ret, err, len, ssock);
+ 
+     ssock->last_err = ssl_err;
+     return GET_STATUS_FROM_SSL_ERR(ssl_err);
+diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c
+index 38349aa7a..d40bc7ea3 100644
+--- a/pjsip/src/pjsip/sip_transport_tls.c
++++ b/pjsip/src/pjsip/sip_transport_tls.c
+@@ -173,9 +173,10 @@ static void wipe_buf(pj_str_t *buf);
+ 
+ 
+ static void tls_perror(const char *sender, const char *title,
+-		       pj_status_t status)
++		       pj_status_t status, pj_str_t *remote_name)
+ {
+-    PJ_PERROR(3,(sender, status, "%s: [code=%d]", title, status));
++    PJ_PERROR(3,(sender, status, "%s: [code=%d]%s%.*s", title, status,
++        remote_name ? " peer: " : "", remote_name ? remote_name->slen : 0, remote_name ? remote_name->ptr : ""));
+ }
+ 
+ 
+@@ -730,7 +731,7 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
+     status = pjsip_tls_transport_lis_start(factory, local, a_name);
+     if (status != PJ_SUCCESS) {	
+ 	tls_perror(listener->factory.obj_name, 
+-		   "Unable to start listener after closing it", status);
++		   "Unable to start listener after closing it", status, NULL);
+ 
+ 	return status;
+     }
+@@ -739,7 +740,7 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
+ 					    &listener->factory);
+     if (status != PJ_SUCCESS) {
+ 	tls_perror(listener->factory.obj_name,
+-		    "Unable to register the transport listener", status);
++		    "Unable to register the transport listener", status, NULL);
+ 
+ 	listener->is_registered = PJ_FALSE;	
+     } else {
+@@ -1085,7 +1086,7 @@ static pj_status_t tls_start_read(struct tls_transport *tls)
+ 				   PJSIP_POOL_RDATA_LEN,
+ 				   PJSIP_POOL_RDATA_INC);
+     if (!pool) {
+-	tls_perror(tls->base.obj_name, "Unable to create pool", PJ_ENOMEM);
++	tls_perror(tls->base.obj_name, "Unable to create pool", PJ_ENOMEM, NULL);
+ 	return PJ_ENOMEM;
+     }
+ 
+@@ -1772,7 +1773,7 @@ static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
+     /* Check connect() status */
+     if (status != PJ_SUCCESS) {
+ 
+-	tls_perror(tls->base.obj_name, "TLS connect() error", status);
++	tls_perror(tls->base.obj_name, "TLS connect() error", status, &tls->remote_name);
+ 
+ 	/* Cancel all delayed transmits */
+ 	while (!pj_list_empty(&tls->delayed_list)) {
+@@ -1916,7 +1917,7 @@ static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
+     pjsip_transport_dec_ref(&tls->base);
+     if (is_shutdown) {
+ 	status = tls->close_reason;
+-	tls_perror(tls->base.obj_name, "TLS connect() error", status);
++	tls_perror(tls->base.obj_name, "TLS connect() error", status, &tls->remote_name);
+ 
+ 	/* Cancel all delayed transmits */
+ 	while (!pj_list_empty(&tls->delayed_list)) {
+@@ -2015,7 +2016,7 @@ static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e)
+ 
+     if (status != PJ_SUCCESS && status != PJ_EPENDING) {
+ 	tls_perror(tls->base.obj_name, 
+-		   "Error sending keep-alive packet", status);
++		   "Error sending keep-alive packet", status, &tls->remote_name);
+ 
+ 	tls_init_shutdown(tls, status);
+ 	return;
+-- 
+2.21.0
+

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/11495
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Change-Id: I41770e8a1ea5e96f6e16b236692c4269ce1ba91e
Gerrit-Change-Number: 11495
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20190701/f21d4298/attachment-0001.html>


More information about the asterisk-code-review mailing list