[Asterisk-code-review] pjproject_bundled: Add peer information to most SSL/TLS errors (...asterisk[master])
Friendly Automation
asteriskteam at digium.com
Mon Jul 1 10:05:26 CDT 2019
Friendly Automation has submitted this change and it was merged. ( https://gerrit.asterisk.org/c/asterisk/+/11497 )
Change subject: pjproject_bundled: Add peer information to most SSL/TLS errors
......................................................................
pjproject_bundled: Add peer information to most SSL/TLS errors
Most SSL/TLS error messages coming from pjproject now have either
the peer address:port or peer hostname, depending on what was
available at the time and code location where the error was
generated.
ASTERISK-28444
Reported by: Bernhard Schmidt
Change-Id: I41770e8a1ea5e96f6e16b236692c4269ce1ba91e
---
A third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch
1 file changed, 157 insertions(+), 0 deletions(-)
Approvals:
Kevin Harwell: Looks good to me, but someone else must approve
Joshua Colp: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved
Friendly Automation: Approved for Submit
diff --git a/third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch b/third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch
new file mode 100644
index 0000000..53bde48
--- /dev/null
+++ b/third-party/pjproject/patches/0010-ssl_sock_ossl-sip_transport_tls-Add-peer-to-error-me.patch
@@ -0,0 +1,157 @@
+From 85b28c475b5dfd3b01dafffd1d0b3dbb6f087829 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph at digium.com>
+Date: Thu, 27 Jun 2019 11:19:47 -0600
+Subject: [PATCH] ssl_sock_ossl/sip_transport_tls: Add peer to error messages
+
+Added peer address:port to error messages in ssl_sock_ossl.
+Added peer hostname to error messages in sip_transport_tls.
+---
+ pjlib/src/pj/ssl_sock_ossl.c | 22 +++++++++++++---------
+ pjsip/src/pjsip/sip_transport_tls.c | 17 +++++++++--------
+ 2 files changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
+index b4ac5c15f..42db8fdbe 100644
+--- a/pjlib/src/pj/ssl_sock_ossl.c
++++ b/pjlib/src/pj/ssl_sock_ossl.c
+@@ -210,15 +210,19 @@ static char *SSLErrorString (int err)
+ }
+ }
+
+-#define ERROR_LOG(msg, err) \
+- PJ_LOG(2,("SSL", "%s (%s): Level: %d err: <%lu> <%s-%s-%s> len: %d", \
++#define ERROR_LOG(msg, err, ssock) \
++{ \
++ char buf[PJ_INET6_ADDRSTRLEN+10]; \
++ PJ_LOG(2,("SSL", "%s (%s): Level: %d err: <%lu> <%s-%s-%s> len: %d peer: %s", \
+ msg, action, level, err, \
+ (ERR_lib_error_string(err)? ERR_lib_error_string(err): "???"), \
+ (ERR_func_error_string(err)? ERR_func_error_string(err):"???"),\
+ (ERR_reason_error_string(err)? \
+- ERR_reason_error_string(err): "???"), len));
++ ERR_reason_error_string(err): "???"), len, \
++ pj_sockaddr_print(&ssock->rem_addr, buf, sizeof(buf), 3))); \
++}
+
+-static void SSLLogErrors(char * action, int ret, int ssl_err, int len)
++static void SSLLogErrors(char * action, int ret, int ssl_err, int len, pj_ssl_sock_t *ssock)
+ {
+ char *ssl_err_str = SSLErrorString(ssl_err);
+
+@@ -233,7 +237,7 @@ static void SSLLogErrors(char * action, int ret, int ssl_err, int len)
+ if (err2) {
+ int level = 0;
+ while (err2) {
+- ERROR_LOG("SSL_ERROR_SYSCALL", err2);
++ ERROR_LOG("SSL_ERROR_SYSCALL", err2, ssock);
+ level++;
+ err2 = ERR_get_error();
+ }
+@@ -264,7 +268,7 @@ static void SSLLogErrors(char * action, int ret, int ssl_err, int len)
+ int level = 0;
+
+ while (err2) {
+- ERROR_LOG("SSL_ERROR_SSL", err2);
++ ERROR_LOG("SSL_ERROR_SSL", err2, ssock);
+ level++;
+ err2 = ERR_get_error();
+ }
+@@ -302,13 +306,13 @@ static pj_status_t STATUS_FROM_SSL_ERR(char *action, pj_ssl_sock_t *ssock,
+ int level = 0;
+ int len = 0; //dummy
+
+- ERROR_LOG("STATUS_FROM_SSL_ERR", err);
++ ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);
+ level++;
+
+ /* General SSL error, dig more from OpenSSL error queue */
+ if (err == SSL_ERROR_SSL) {
+ err = ERR_get_error();
+- ERROR_LOG("STATUS_FROM_SSL_ERR", err);
++ ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock);
+ }
+
+ ssock->last_err = err;
+@@ -326,7 +330,7 @@ static pj_status_t STATUS_FROM_SSL_ERR2(char *action, pj_ssl_sock_t *ssock,
+ }
+
+ /* Dig for more from OpenSSL error queue */
+- SSLLogErrors(action, ret, err, len);
++ SSLLogErrors(action, ret, err, len, ssock);
+
+ ssock->last_err = ssl_err;
+ return GET_STATUS_FROM_SSL_ERR(ssl_err);
+diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c
+index 38349aa7a..d40bc7ea3 100644
+--- a/pjsip/src/pjsip/sip_transport_tls.c
++++ b/pjsip/src/pjsip/sip_transport_tls.c
+@@ -173,9 +173,10 @@ static void wipe_buf(pj_str_t *buf);
+
+
+ static void tls_perror(const char *sender, const char *title,
+- pj_status_t status)
++ pj_status_t status, pj_str_t *remote_name)
+ {
+- PJ_PERROR(3,(sender, status, "%s: [code=%d]", title, status));
++ PJ_PERROR(3,(sender, status, "%s: [code=%d]%s%.*s", title, status,
++ remote_name ? " peer: " : "", remote_name ? remote_name->slen : 0, remote_name ? remote_name->ptr : ""));
+ }
+
+
+@@ -730,7 +731,7 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
+ status = pjsip_tls_transport_lis_start(factory, local, a_name);
+ if (status != PJ_SUCCESS) {
+ tls_perror(listener->factory.obj_name,
+- "Unable to start listener after closing it", status);
++ "Unable to start listener after closing it", status, NULL);
+
+ return status;
+ }
+@@ -739,7 +740,7 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
+ &listener->factory);
+ if (status != PJ_SUCCESS) {
+ tls_perror(listener->factory.obj_name,
+- "Unable to register the transport listener", status);
++ "Unable to register the transport listener", status, NULL);
+
+ listener->is_registered = PJ_FALSE;
+ } else {
+@@ -1085,7 +1086,7 @@ static pj_status_t tls_start_read(struct tls_transport *tls)
+ PJSIP_POOL_RDATA_LEN,
+ PJSIP_POOL_RDATA_INC);
+ if (!pool) {
+- tls_perror(tls->base.obj_name, "Unable to create pool", PJ_ENOMEM);
++ tls_perror(tls->base.obj_name, "Unable to create pool", PJ_ENOMEM, NULL);
+ return PJ_ENOMEM;
+ }
+
+@@ -1772,7 +1773,7 @@ static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
+ /* Check connect() status */
+ if (status != PJ_SUCCESS) {
+
+- tls_perror(tls->base.obj_name, "TLS connect() error", status);
++ tls_perror(tls->base.obj_name, "TLS connect() error", status, &tls->remote_name);
+
+ /* Cancel all delayed transmits */
+ while (!pj_list_empty(&tls->delayed_list)) {
+@@ -1916,7 +1917,7 @@ static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
+ pjsip_transport_dec_ref(&tls->base);
+ if (is_shutdown) {
+ status = tls->close_reason;
+- tls_perror(tls->base.obj_name, "TLS connect() error", status);
++ tls_perror(tls->base.obj_name, "TLS connect() error", status, &tls->remote_name);
+
+ /* Cancel all delayed transmits */
+ while (!pj_list_empty(&tls->delayed_list)) {
+@@ -2015,7 +2016,7 @@ static void tls_keep_alive_timer(pj_timer_heap_t *th, pj_timer_entry *e)
+
+ if (status != PJ_SUCCESS && status != PJ_EPENDING) {
+ tls_perror(tls->base.obj_name,
+- "Error sending keep-alive packet", status);
++ "Error sending keep-alive packet", status, &tls->remote_name);
+
+ tls_init_shutdown(tls, status);
+ return;
+--
+2.21.0
+
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/11497
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I41770e8a1ea5e96f6e16b236692c4269ce1ba91e
Gerrit-Change-Number: 11497
Gerrit-PatchSet: 2
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20190701/ee6f187d/attachment.html>
More information about the asterisk-code-review
mailing list