<p>Friendly Automation <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/11499">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Kevin Harwell: Looks good to me, but someone else must approve
Joshua Colp: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved
Friendly Automation: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tcptls.c: Add peer hostname and port to some error messages<br><br>Where possble, hostname and port has been added to error<br>messages, mostly on the server side.<br><br>ASTERISK-26006<br>Reported by: Oleksandr Natalenko<br><br>Change-Id: Iff4f897277bc36ce8c5b493b71d0a4a7b74e62f0<br>---<br>M main/tcptls.c<br>1 file changed, 21 insertions(+), 10 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/main/tcptls.c b/main/tcptls.c</span><br><span>index d32b91f..c2397e7 100644</span><br><span>--- a/main/tcptls.c</span><br><span>+++ b/main/tcptls.c</span><br><span>@@ -599,7 +599,8 @@</span><br><span> HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)</span><br><span> {</span><br><span> if (!tcptls_session->stream_cookie || tcptls_session->stream_cookie->fd == -1) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "TCP/TLS read called on invalid stream.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "TCP/TLS read called on invalid stream with peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> errno = EIO;</span><br><span> return -1;</span><br><span> }</span><br><span>@@ -610,7 +611,8 @@</span><br><span> HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)</span><br><span> {</span><br><span> if (!tcptls_session->stream_cookie || tcptls_session->stream_cookie->fd == -1) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "TCP/TLS write called on invalid stream.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "TCP/TLS write called on invalid stream with peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> errno = EIO;</span><br><span> return -1;</span><br><span> }</span><br><span>@@ -679,7 +681,8 @@</span><br><span> * this seems like a good general policy.</span><br><span> */</span><br><span> if (ast_thread_inhibit_escalations()) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection from peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> return NULL;</span><br><span>@@ -692,7 +695,8 @@</span><br><span> * the individual protocol handlers, but this seems like a good start.</span><br><span> */</span><br><span> if (ast_thread_user_interface_set(1)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Failed to set user interface status; killing connection\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Failed to set user interface status; killing connection from peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> return NULL;</span><br><span>@@ -724,7 +728,8 @@</span><br><span> char err[256];</span><br><span> int sslerr = SSL_get_error(tcptls_session->ssl, ret);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Problem setting up ssl connection: %s, %s\n", ERR_error_string(sslerr, err),</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Problem setting up ssl connection with peer '%s': %s, %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address), ERR_error_string(sslerr, err),</span><br><span> ssl_error_to_string(sslerr, ret));</span><br><span> } else if ((tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie,</span><br><span> tcptls_session->ssl, tcptls_session->fd, -1))) {</span><br><span>@@ -734,7 +739,8 @@</span><br><span> long res;</span><br><span> peer = SSL_get_peer_certificate(tcptls_session->ssl);</span><br><span> if (!peer) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "No SSL certificate to verify from peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> return NULL;</span><br><span>@@ -742,7 +748,9 @@</span><br><span> </span><br><span> res = SSL_get_verify_result(tcptls_session->ssl);</span><br><span> if (res != X509_V_OK) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Certificate from peer '%s' did not verify: %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address),</span><br><span style="color: hsl(120, 100%, 40%);">+ X509_verify_cert_error_string(res));</span><br><span> X509_free(peer);</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span>@@ -793,7 +801,8 @@</span><br><span> }</span><br><span> </span><br><span> if (!found) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Certificate common name from peer '%s' did not match (%s)\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address), tcptls_session->parent->hostname);</span><br><span> X509_free(peer);</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span>@@ -811,7 +820,8 @@</span><br><span> </span><br><span> if (!tcptls_session->f) {</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_WARNING, "FILE * open failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "FILE * open failed from peer '%s'!\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> #ifndef DO_SSL</span><br><span> if (tcptls_session->parent->tls_cfg) {</span><br><span> ast_log(LOG_ERROR, "Attempted a TLS connection without OpenSSL support. This will not work!\n");</span><br><span>@@ -884,7 +894,8 @@</span><br><span> </span><br><span> /* This thread is now the only place that controls the single ref to tcptls_session */</span><br><span> if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread: %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread for peer '%s': %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address),</span><br><span> strerror(errno));</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/11499">change 11499</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/11499"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-Change-Id: Iff4f897277bc36ce8c5b493b71d0a4a7b74e62f0 </div>
<div style="display:none"> Gerrit-Change-Number: 11499 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>