From patchwork Fri Jul 7 18:58:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3278 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:1496:b0:d7:3b0f:3938 with SMTP id b22csp1425807dyh; Fri, 7 Jul 2023 11:59:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlFMPYG4nzCJKTHQke1pfH+QtGfRfL2laaVEJdmVu5+8W3p8p5L94lw3kZZGyJhloi7SkB2i X-Received: by 2002:a05:6a20:1449:b0:123:828f:68c with SMTP id a9-20020a056a20144900b00123828f068cmr5029564pzi.50.1688756347807; Fri, 07 Jul 2023 11:59:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688756347; cv=none; d=google.com; s=arc-20160816; b=PJ5TpBuCwoPoHJ9ae71e3UWYFzblDoyL71iZTRLJwTEeFcXqVuCkR5kWLt1zaX7An8 U20geL4Xhwa6uQ/1iN0k3YnFenbqMTb4uowmZLM6yP/DlsLBBvTIujRnB2E/eQRn+hAR ztZcg1JQj1Athok5om6bSfZSYHBTXM4E2rWwMWFs49Mb1MPxG2lBlL3lVzyK+Qr1pCm3 Fr9xns75uQ5iiTfQchS0mw664zBncmQJF5XpC22SSs+HYNCRebSsWAA7lMSNNkwykd37 DJQVvX9IxKAIHxDNGulXp5AqJuFpFqBTwBB05/arYZtV0Jnr0fZmgwTVuti6tWYVDi7A gwFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=s731RI16LjACKdeZb00I0zh1FOOt3mUXUZGsWCDcrKA=; fh=upowIstEaPvyXBxHFaCeSfbprOF7d6h3Rt41IfheAVg=; b=Z4aDxbH+YjDe64f3nuq+KovcwSTVzTweSIXHcjY1MyBOcdxkehsa86EAcBrw/Nrgia E/eduW+imILmYWshpXaP1le0tYcrjcyXjCuAUT0WxLkShw6x+L5UKibYApQR2ZZf2HxG 9R6wsh+5GGi7zceglo+1L8htLWJQx7WVX9gb+5c0MqYvxc82SoXmyNrl0+0qM43Zl660 AnREFYXwerxPRRZxa3HFvD9l3e2CtyPmm/g6JF2HufxBnDDLrmJIbWvPeqhNMiBP1bhA lbFMP1yrOUqKwX3HecIEtleNweuunHgdZKURXaHvkhj9F7f10knSX5ZmERftczQ/vdzk 0VFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FKAaK4cz; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=bimZiTu2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id s18-20020a056a00195200b0067e69fcebb9si4603666pfk.86.2023.07.07.11.59.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Jul 2023 11:59:07 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FKAaK4cz; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=bimZiTu2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qHqf1-0001BZ-IF; Fri, 07 Jul 2023 18:58:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qHqez-0001BT-HJ for openvpn-devel@lists.sourceforge.net; Fri, 07 Jul 2023 18:58:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z5oWqFedKrnMbUgfGQIzRdhrmlKmzojQriPsIr1rCKo=; b=FKAaK4cz36jLmlxSePwE0VFo7k KzzaqwxOMO0d+Uh4etIOUTsWgqOdKjMUPJm3JuxF/EHLScCUn4ShTMLtG0vo+rZrA4N+hOIxZGWcN Hnw/AO3RrJWGwacaT1jWaSqi5/BC/STvioQZlk80D/ADPGla50/0lc0ioTg+1ikrdXs4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Z5oWqFedKrnMbUgfGQIzRdhrmlKmzojQriPsIr1rCKo=; b=b imZiTu2R5kVArGb+n+Ow9CJx9qPTrKU46IfUVmyFZ/LzHxr94dWE80gATS0WDUn6H2GLpkDF/Hq+d q7gLFPa3gx+2zKpts8MGgb5dNK2FxhRpKdLOnCmUdicqUr8EkkI3xUCJV41QsDOVQF/Wpr1Vw8cKm pK+FZmE95z8CC6nc=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qHqey-000sWK-5M for openvpn-devel@lists.sourceforge.net; Fri, 07 Jul 2023 18:58:29 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qHqeh-000JCQ-NW for openvpn-devel@lists.sourceforge.net; Fri, 07 Jul 2023 20:58:11 +0200 Received: (nullmailer pid 30180 invoked by uid 10006); Fri, 07 Jul 2023 18:58:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 7 Jul 2023 20:58:11 +0200 Message-Id: <20230707185811.30132-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This also shows the extra data from the OpenSSL error function that can contain extra information. For example, the command openvpn --providers vollbit will print out (on macOS): Content analysis details: (1.5 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1qHqey-000sWK-5M Subject: [Openvpn-devel] [PATCH] show extra info for OpenSSL errors X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1770789376092912483?= X-GMAIL-MSGID: =?utf-8?q?1770789376092912483?= This also shows the extra data from the OpenSSL error function that can contain extra information. For example, the command openvpn --providers vollbit will print out (on macOS): OpenSSLerror:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file) Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80 Signed-off-by: Arne Schwabe --- src/openvpn/crypto_openssl.c | 20 ++++++++++++++++++-- src/openvpn/openssl_compat.h | 12 ++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b043bb95e..d6916fc9b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -238,9 +238,16 @@ void crypto_print_openssl_errors(const unsigned int flags) { unsigned long err = 0; + int line, errflags; + const char *file, *data, *func; - while ((err = ERR_get_error())) + while ((err = ERR_get_error_all(&file, &line, &func, &data, &errflags)) != 0) { + if (!(errflags & ERR_TXT_STRING)) + { + data = ""; + } + /* Be more clear about frequently occurring "no shared cipher" error */ if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) { @@ -258,7 +265,16 @@ crypto_print_openssl_errors(const unsigned int flags) "tls-version-min 1.0 to the client configuration to use TLS 1.0+ " "instead of TLS 1.0 only"); } - msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL)); + + /* print file and line if verb >=8 */ + if (!check_debug_level(D_TLS_DEBUG_MED)) + { + msg(flags, "OpenSSL%s:%s", ERR_error_string(err, NULL), data); + } + else + { + msg(flags, "OpenSSL (%s:%d %s): %s:%s", file, line, func, ERR_error_string(err, NULL), data); + } } } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index ffb64adf6..736ce1bd5 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -43,6 +43,7 @@ #include #include #include +#include /* Functionality missing in 1.1.0 */ #if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL) @@ -799,6 +800,17 @@ EVP_MD_free(const EVP_MD *md) /* OpenSSL 1.1.1 and lower use only const EVP_MD, nothing to free */ } +static inline unsigned long +ERR_get_error_all(const char **file, int *line, + const char **func, + const char **data, int *flags) +{ + static const char *empty = ""; + *func = empty; + long err = ERR_get_error_line_data(file, line, data, flags); + return err; +} + #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ #endif /* OPENSSL_COMPAT_H_ */