git:master:e2cc98eb: tls: try to print sni on tls error - sr-dev

22 Nov 2021

Module: kamailio
Branch: master
Commit: e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60
URL: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2021-11-22T09:01:09+01:00
tls: try to print sni on tls error
---
Modified: src/modules/tls/tls_server.c
Modified: src/modules/tls/tls_util.h
---
Diff:  https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16...
Patch: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16...
---

diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c
index f75b111168..7004096adf 100644
--- a/src/modules/tls/tls_server.c
+++ b/src/modules/tls/tls_server.c
@@ -285,7 +285,7 @@ static int tls_complete_init(struct tcp_connection* c)
    data->state = state;
if (unlikely(data->ssl == 0 || data->rwbio == 0)) {
-		TLS_ERR("Failed to create SSL or BIO structure:");
+		TLS_ERR_SSL("Failed to create SSL or BIO structure:", data->ssl);
    	if (data->ssl)
    		SSL_free(data->ssl);
    	if (data->rwbio)
@@ -446,7 +446,7 @@ EVP_PKEY * tls_lookup_private_key(SSL_CTX*);
 int tls_accept(struct tcp_connection *c, int* error)
 {
    int ret;
-	SSL *ssl;
+	SSL *ssl = NULL;
    X509* cert;
    struct tls_extra_data* tls_c;
    int tls_log;
@@ -792,7 +792,7 @@ int tls_h_encode_f(struct tcp_connection *c,
    					snd_flags_t* send_flags)
 {
    int n, offs;
-	SSL* ssl;
+	SSL* ssl = NULL;
    struct tls_extra_data* tls_c;
    static unsigned char wr_buf[TLS_WR_MBUF_SZ];
    struct tls_mbuf rd, wr;
@@ -929,7 +929,7 @@ int tls_h_encode_f(struct tcp_connection *c,
    		case SSL_ERROR_SSL:
    			/* protocol level error */
    			ERR("protocol level error\n");
-				TLS_ERR(err_src);
+				TLS_ERR_SSL(err_src, ssl);
    			memset(ip_buf, 0, sizeof(buf));
    			ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
    			ERR("source IP: %s\n", ip_buf);
@@ -970,7 +970,7 @@ int tls_h_encode_f(struct tcp_connection *c,
    			}
    			goto error;
    		default:
-				TLS_ERR(err_src);
+				TLS_ERR_SSL(err_src, ssl);
    			BUG("unexpected SSL error %d\n", ssl_error);
    			goto bug;
    	}
@@ -1053,6 +1053,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
    int x;
    int tls_dbg;
+	ssl = NULL;
    TLS_RD_TRACE("(%p, %p (%d)) start (%s -> %s:%d*)\n",
    				c, flags, *flags,
    				su2a(&c->rcv.src_su, sizeof(c->rcv.src_su)),
@@ -1327,7 +1328,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
    	case SSL_ERROR_SSL:
    		/* protocol level error */
    		ERR("protocol level error\n");
-			TLS_ERR(err_src);
+			TLS_ERR_SSL(err_src, ssl);
    		memset(ip_buf, 0, sizeof(ip_buf));
    		ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
    		ERR("src addr: %s:%d\n", ip_buf, c->rcv.src_port);
@@ -1368,7 +1369,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
    		}
    		goto error;
    	default:
-			TLS_ERR(err_src);
+			TLS_ERR_SSL(err_src, ssl);
    		BUG("unexpected SSL error %d\n", ssl_error);
    		goto bug;
    }
diff --git a/src/modules/tls/tls_util.h b/src/modules/tls/tls_util.h
index 8ff63dd0f1..86e036cce9 100644
--- a/src/modules/tls/tls_util.h
+++ b/src/modules/tls/tls_util.h
@@ -26,20 +26,29 @@
 #ifndef _TLS_UTIL_H
 #define _TLS_UTIL_H
+#include <openssl/ssl.h>
 #include <openssl/err.h>
 #include "../../core/dprint.h"
 #include "../../core/str.h"
 #include "tls_domain.h"
-static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
+static inline int tls_err_ret(char *s, SSL* ssl,
+		tls_domains_cfg_t **tls_domains_cfg)
+{
    long err;
    int ret = 0;
+	const char *sn = NULL;
+
    if ((*tls_domains_cfg)->srv_default->ctx &&
    	(*tls_domains_cfg)->srv_default->ctx[0])
    {
+		if(ssl) {
+			sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+		}
    	while((err = ERR_get_error())) {
    		ret = 1;
-			ERR("%s%s\n", s ? s : "", ERR_error_string(err, 0));
+			ERR("%s%s (sni: %s)\n", s ? s : "", ERR_error_string(err, 0),
+					(sn) ? sn : "unknown");
    	}
    }
    return ret;
@@ -47,15 +56,19 @@ static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
#define TLS_ERR_RET(r, s) \
 do { \
-	(r) = tls_err_ret((s), tls_domains_cfg); \
+	(r) = tls_err_ret((s), NULL, tls_domains_cfg); \
 } while(0)
#define TLS_ERR(s) \
 do { \
-	tls_err_ret((s), tls_domains_cfg); \
+	tls_err_ret((s), NULL, tls_domains_cfg); \
 } while(0)
+#define TLS_ERR_SSL(s, ssl) \
+do { \
+	tls_err_ret((s), (ssl), tls_domains_cfg); \
+} while(0)
/*
  * Make a shared memory copy of ASCII zero terminated string

    