[Asterisk-code-review] tcptls.c: Add peer hostname and port to some error messages (...asterisk[13])

Friendly Automation asteriskteam at digium.com
Mon Jul 1 10:04:31 CDT 2019 

Friendly Automation has submitted this change and it was merged. ( https://gerrit.asterisk.org/c/asterisk/+/11499 )

Change subject: tcptls.c:  Add peer hostname and port to some error messages
......................................................................

tcptls.c:  Add peer hostname and port to some error messages

Where possble, hostname and port has been added to error
messages, mostly on the server side.

ASTERISK-26006
Reported by: Oleksandr Natalenko

Change-Id: Iff4f897277bc36ce8c5b493b71d0a4a7b74e62f0
---
M main/tcptls.c
1 file changed, 21 insertions(+), 10 deletions(-)

Approvals:
  Kevin Harwell: Looks good to me, but someone else must approve
  Joshua Colp: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved
  Friendly Automation: Approved for Submit



diff --git a/main/tcptls.c b/main/tcptls.c
index d32b91f..c2397e7 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -599,7 +599,8 @@
 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
 {
 	if (!tcptls_session->stream_cookie || tcptls_session->stream_cookie->fd == -1) {
-		ast_log(LOG_ERROR, "TCP/TLS read called on invalid stream.\n");
+		ast_log(LOG_ERROR, "TCP/TLS read called on invalid stream with peer '%s'\n",
+			ast_sockaddr_stringify(&tcptls_session->remote_address));
 		errno = EIO;
 		return -1;
 	}
@@ -610,7 +611,8 @@
 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
 {
 	if (!tcptls_session->stream_cookie || tcptls_session->stream_cookie->fd == -1) {
-		ast_log(LOG_ERROR, "TCP/TLS write called on invalid stream.\n");
+		ast_log(LOG_ERROR, "TCP/TLS write called on invalid stream with peer '%s'\n",
+			ast_sockaddr_stringify(&tcptls_session->remote_address));
 		errno = EIO;
 		return -1;
 	}
@@ -679,7 +681,8 @@
 	 * this seems like a good general policy.
 	 */
 	if (ast_thread_inhibit_escalations()) {
-		ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection\n");
+		ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection from peer '%s'\n",
+			ast_sockaddr_stringify(&tcptls_session->remote_address));
 		ast_tcptls_close_session_file(tcptls_session);
 		ao2_ref(tcptls_session, -1);
 		return NULL;
@@ -692,7 +695,8 @@
 	 * the individual protocol handlers, but this seems like a good start.
 	 */
 	if (ast_thread_user_interface_set(1)) {
-		ast_log(LOG_ERROR, "Failed to set user interface status; killing connection\n");
+		ast_log(LOG_ERROR, "Failed to set user interface status; killing connection from peer '%s'\n",
+			ast_sockaddr_stringify(&tcptls_session->remote_address));
 		ast_tcptls_close_session_file(tcptls_session);
 		ao2_ref(tcptls_session, -1);
 		return NULL;
@@ -724,7 +728,8 @@
 			char err[256];
 			int sslerr = SSL_get_error(tcptls_session->ssl, ret);
 
-			ast_log(LOG_ERROR, "Problem setting up ssl connection: %s, %s\n", ERR_error_string(sslerr, err),
+			ast_log(LOG_ERROR, "Problem setting up ssl connection with peer '%s': %s, %s\n",
+				ast_sockaddr_stringify(&tcptls_session->remote_address), ERR_error_string(sslerr, err),
 				ssl_error_to_string(sslerr, ret));
 		} else if ((tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie,
 			tcptls_session->ssl, tcptls_session->fd, -1))) {
@@ -734,7 +739,8 @@
 				long res;
 				peer = SSL_get_peer_certificate(tcptls_session->ssl);
 				if (!peer) {
-					ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
+					ast_log(LOG_ERROR, "No SSL certificate to verify from peer '%s'\n",
+						ast_sockaddr_stringify(&tcptls_session->remote_address));
 					ast_tcptls_close_session_file(tcptls_session);
 					ao2_ref(tcptls_session, -1);
 					return NULL;
@@ -742,7 +748,9 @@
 
 				res = SSL_get_verify_result(tcptls_session->ssl);
 				if (res != X509_V_OK) {
-					ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
+					ast_log(LOG_ERROR, "Certificate from peer '%s' did not verify: %s\n",
+						ast_sockaddr_stringify(&tcptls_session->remote_address),
+						X509_verify_cert_error_string(res));
 					X509_free(peer);
 					ast_tcptls_close_session_file(tcptls_session);
 					ao2_ref(tcptls_session, -1);
@@ -793,7 +801,8 @@
 					}
 
 					if (!found) {
-						ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
+						ast_log(LOG_ERROR, "Certificate common name from peer '%s' did not match (%s)\n",
+							ast_sockaddr_stringify(&tcptls_session->remote_address), tcptls_session->parent->hostname);
 						X509_free(peer);
 						ast_tcptls_close_session_file(tcptls_session);
 						ao2_ref(tcptls_session, -1);
@@ -811,7 +820,8 @@
 
 	if (!tcptls_session->f) {
 		ast_tcptls_close_session_file(tcptls_session);
-		ast_log(LOG_WARNING, "FILE * open failed!\n");
+		ast_log(LOG_WARNING, "FILE * open failed from peer '%s'!\n",
+			ast_sockaddr_stringify(&tcptls_session->remote_address));
 #ifndef DO_SSL
 		if (tcptls_session->parent->tls_cfg) {
 			ast_log(LOG_ERROR, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
@@ -884,7 +894,8 @@
 
 		/* This thread is now the only place that controls the single ref to tcptls_session */
 		if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
-			ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread: %s\n",
+			ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread for peer '%s': %s\n",
+				ast_sockaddr_stringify(&tcptls_session->remote_address),
 				strerror(errno));
 			ast_tcptls_close_session_file(tcptls_session);
 			ao2_ref(tcptls_session, -1);

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/11499
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Change-Id: Iff4f897277bc36ce8c5b493b71d0a4a7b74e62f0
Gerrit-Change-Number: 11499
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20190701/9d0e2526/attachment-0001.html>

More information about the asterisk-code-review mailing list