[exim-cvs] OpenSSL: Enhance connect/accept-time debug

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] OpenSSL: Enhance connect/accept-time debug
Gitweb: https://git.exim.org/exim.git/commitdiff/0abc5a137c8a0824aa3740b2cca8da407303f4fb
Commit:     0abc5a137c8a0824aa3740b2cca8da407303f4fb
Parent:     11a5264b5b67a7f9e11edc188080c806d7c01422
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Oct 14 15:21:08 2018 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Oct 14 15:21:08 2018 +0100


    OpenSSL: Enhance connect/accept-time debug


    Also, use safer interface for error-strings.
---
 src/src/tls-openssl.c | 48 ++++++++++++++++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 12 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 05dad2c..cda31f1 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -364,7 +364,7 @@ tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errst
{
if (!msg)
{
- ERR_error_string(ERR_get_error(), ssl_errstring);
+ ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
msg = US ssl_errstring;
}

@@ -408,7 +408,7 @@ if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
#endif

   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
     ssl_errstring);
   return NULL;
@@ -744,9 +744,33 @@ Returns:    nothing
 static void
 info_callback(SSL *s, int where, int ret)
 {
-where = where;
-ret = ret;
-DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
+DEBUG(D_tls)
+  {
+  const uschar * str;
+
+  if (where & SSL_ST_CONNECT)
+     str = "SSL_connect";
+  else if (where & SSL_ST_ACCEPT)
+     str = "SSL_accept";
+  else
+     str = "SSL info (undefined)";
+
+  if (where & SSL_CB_LOOP)
+     debug_printf("%s: %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_ALERT)
+    debug_printf("SSL3 alert %s:%s:%s\n",
+      str = where & SSL_CB_READ ? "read" : "write",
+      SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
+  else if (where & SSL_CB_EXIT)
+     if (ret == 0)
+    debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
+     else if (ret < 0)
+    debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_HANDSHAKE_START)
+     debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_HANDSHAKE_DONE)
+     debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
+  }
 }



@@ -1069,7 +1093,7 @@ if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
   {
   DEBUG(D_tls)
     {
-    ERR_error_string(ERR_get_error(), ssl_errstring);
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
     debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
     }
   goto bad;
@@ -1378,7 +1402,7 @@ if (!(server_sni = SSL_CTX_new(TLS_server_method())))
 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
 #endif
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
   return SSL_TLSEXT_ERR_NOACK;
   }
@@ -2722,7 +2746,7 @@ switch(error)


   /* Handle genuine errors */
   case SSL_ERROR_SSL:
-    ERR_error_string(ERR_get_error(), ssl_errstring);
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
     log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
     ssl_xfer_error = TRUE;
     return FALSE;
@@ -2905,7 +2929,7 @@ for (left = len; left > 0;)
   switch (error)
     {
     case SSL_ERROR_SSL:
-      ERR_error_string(ERR_get_error(), ssl_errstring);
+      ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
       log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
       return -1;


@@ -2978,7 +3002,7 @@ if (shutdown)

   if (rc < 0) DEBUG(D_tls)
     {
-    ERR_error_string(ERR_get_error(), ssl_errstring);
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
     debug_printf("SSL_shutdown: %s\n", ssl_errstring);
     }
   }
@@ -3050,7 +3074,7 @@ if (!(ctx = SSL_CTX_new(TLS_server_method())))
 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
 #endif
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
   }


@@ -3059,7 +3083,7 @@ DEBUG(D_tls)

 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
               expciphers, ssl_errstring);
   }