From d0b8856b0b7be8d36a42ff2216c09ad3e69d975c Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Mon, 10 Jun 2024 11:21:58 +0200 Subject: [PATCH 1/6] Enhance ssl log --- src/net.c | 7 ++++++- src/tls.c | 14 ++++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/src/net.c b/src/net.c index 3e23acb97..cba35ea20 100644 --- a/src/net.c +++ b/src/net.c @@ -973,7 +973,12 @@ int sockread(char *s, int *len, sock_list *slist, int slistmax, int tclonly) { if (slist[i].ssl) { x = SSL_read(slist[i].ssl, s, grab); - if (x < 0) { + if (!x && (SSL_get_shutdown(slist[i].ssl) == SSL_RECEIVED_SHUTDOWN)) { + *len = slist[i].sock; + slist[i].flags &= ~SOCK_CONNECT; + debug1("net: SSL_read(): received shutdown sock %i", slist[i].sock); + return -1; + } else if (x < 0) { int err = SSL_get_error(slist[i].ssl, x); if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) errno = EAGAIN; diff --git a/src/tls.c b/src/tls.c index 180af6b37..5762b39cb 100644 --- a/src/tls.c +++ b/src/tls.c @@ -799,7 +799,7 @@ static void ssl_info(const SSL *ssl, int where, int ret) SSL_alert_desc_string_long(ret)); } else { /* Ignore close notify warnings */ - debug1("Received close notify warning during %s", + debug1("TLS: Received close notify warning during %s", (where & SSL_CB_READ) ? "read" : "write"); } } else if (where & SSL_CB_EXIT) { @@ -819,10 +819,16 @@ static void ssl_info(const SSL *ssl, int where, int ret) SSL_state_string_long(ssl)); } } - } else { - /* Display the state of the engine for debugging purposes */ - debug1("TLS: state change: %s", SSL_state_string_long(ssl)); } + /* Display the state of the engine for debugging purposes */ + else if (where == SSL_CB_HANDSHAKE_START) + debug1("TLS: handshake start: %s", SSL_state_string_long(ssl)); + else if (where == SSL_CB_CONNECT_LOOP) + debug1("TLS: connect loop: %s", SSL_state_string_long(ssl)); + else if (where == SSL_CB_ACCEPT_LOOP) + debug1("TLS: accept loop: %s", SSL_state_string_long(ssl)); + else + debug1("TLS: state change: %s", SSL_state_string_long(ssl)); } /* Switch a socket to SSL communication From 4776a10f86a5b5248725b811c8e217846e04a254 Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Mon, 10 Jun 2024 11:38:38 +0200 Subject: [PATCH 2/6] More --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 5762b39cb..2d3fc315c 100644 --- a/src/tls.c +++ b/src/tls.c @@ -799,7 +799,7 @@ static void ssl_info(const SSL *ssl, int where, int ret) SSL_alert_desc_string_long(ret)); } else { /* Ignore close notify warnings */ - debug1("TLS: Received close notify warning during %s", + debug1("TLS: Received close notify during %s", (where & SSL_CB_READ) ? "read" : "write"); } } else if (where & SSL_CB_EXIT) { From 0b41275ebdd6c8da461e72b108c7c79957f48729 Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Mon, 10 Jun 2024 19:36:54 +0200 Subject: [PATCH 3/6] Add more error handling --- src/tls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 2d3fc315c..2944cdebb 100644 --- a/src/tls.c +++ b/src/tls.c @@ -531,6 +531,12 @@ static char *ssl_printname(X509_NAME *name) /* X509_NAME_oneline() is easier and shorter, but is deprecated and the manual discourages it's usage, so let's not be lazy ;) */ + if (!bio) { + debug0("TLS: ssl_printname(): BIO_new(): error"); + buf = nmalloc(1); + *buf = 0; + return buf; + } if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE & ~XN_FLAG_SPC_EQ)) { len = BIO_get_mem_data(bio, &data); if (len > 0) { @@ -712,7 +718,7 @@ int ssl_verify(int ok, X509_STORE_CTX *ctx) !(data->verify & TLS_VERIFYFROM)) || ((err == X509_V_ERR_CERT_HAS_EXPIRED) && !(data->verify & TLS_VERIFYTO))) { - debug1("TLS: peer certificate warning: %s", + putlog(data->loglevel, "*", "TLS: peer certificate warning: %s", X509_verify_cert_error_string(err)); ok = 1; } From 4c3f7af2e0f8abf0b94e8c929532e2378178c93c Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Mon, 10 Jun 2024 19:41:09 +0200 Subject: [PATCH 4/6] More --- src/tls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tls.c b/src/tls.c index 2944cdebb..4a805e32a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -570,6 +570,12 @@ static char *ssl_printtime(ASN1_UTCTIME *t) char *data, *buf; BIO *bio = BIO_new(BIO_s_mem()); + if (!bio) { + debug0("TLS: ssl_printtime(): BIO_new(): error"); + buf = nmalloc(1); + *buf = 0; + return buf; + } ASN1_UTCTIME_print(bio, t); len = BIO_get_mem_data(bio, &data); if (len > 0) { From ae9510246cbd6ab525e2b0c865be938efe52dff5 Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Mon, 10 Jun 2024 19:43:29 +0200 Subject: [PATCH 5/6] More --- src/tls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tls.c b/src/tls.c index 4a805e32a..9e594f008 100644 --- a/src/tls.c +++ b/src/tls.c @@ -603,6 +603,12 @@ static char *ssl_printnum(ASN1_INTEGER *i) char *data, *buf; BIO *bio = BIO_new(BIO_s_mem()); + if (!bio) { + debug0("TLS: ssl_printnum(): BIO_new(): error"); + buf = nmalloc(1); + *buf = 0; + return buf; + } i2a_ASN1_INTEGER(bio, i); len = BIO_get_mem_data(bio, &data); if (len > 0) { From 3b253173b2bb21fcd47984f40fdcd542376c9dca Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Mon, 10 Jun 2024 19:53:30 +0200 Subject: [PATCH 6/6] Cleanup --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 9e594f008..d3af0c6ea 100644 --- a/src/tls.c +++ b/src/tls.c @@ -926,9 +926,9 @@ int ssl_handshake(int sock, int flags, int verify, int loglevel, char *host, SSL_set_mode(td->socklist[i].ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); if (data->flags & TLS_CONNECT) { - struct timespec req = { 0, 1000000L }; SSL_set_verify(td->socklist[i].ssl, SSL_VERIFY_PEER, ssl_verify); /* Introduce 1ms lag so an unpatched hub has time to setup the ssl handshake */ + const struct timespec req = { 0, 1000000L }; nanosleep(&req, NULL); #ifdef SSL_set_tlsext_host_name if (*data->host)