From patchwork Fri Aug 11 12:15:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3315 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:ed0c:b0:d7:3b0f:3938 with SMTP id oy12csp1342200dyb; Fri, 11 Aug 2023 05:15:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHlaW5dPJD2YR5IIl0/yt2yChN2+q5iaD2Wl7QtZC0JlFpt1H85L2bAaULWkjf3WF1howdb X-Received: by 2002:a05:6a00:198f:b0:668:74e9:8efb with SMTP id d15-20020a056a00198f00b0066874e98efbmr1512074pfl.8.1691756137715; Fri, 11 Aug 2023 05:15:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691756137; cv=none; d=google.com; s=arc-20160816; b=cU+CR5fgrgNiungHXggT8gRCZzv6P4/KARdgLynOOPG5HeBZc/EPDzAQ9/mnGRZYKn OH/nYLzEYrE+/XIN0skFfmHMLA3WhIo8xw0X+miqnjSmPbbkhHL7EQGa/kO/Rkd9WcEw SCeKe6A3eSOJDLBHvK/KLBZWO1r7DlqkG9sk07//u2GJYu8Zzez4YnB2D6YtZpWbJg/2 b3iz43mmdT//rZ7YyM9kPXlE1p+5eW2WSpSwOAG43OKhmd4x+Hq888ZRC8+zqNWUwPek WSB3/gOpzj7QueqBZQYLax16BoUnMq6qCyj0VGX13Ifd5zVjEKBSdoZR9/D4FIhHkDXR leCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=kpqOPwUcANS92NDXPa65WwfBPNZyNL4xxXL+/SDIt+Y=; fh=upowIstEaPvyXBxHFaCeSfbprOF7d6h3Rt41IfheAVg=; b=GoF0aM55KgqbdSgHd6bCL4FWWtkxN5BXyVqN4eg0tbcotbdlCWB21BdtCzJLr9ODT7 iJkXlevnM5tDLz7JErqwaoMvXRcUnXjph26Loi/3Xf6D0mvp0mkdsN9QWXyS3aTmi/kQ Lo2bLnvNT7bWLHUT2p0cWbbNDJQFPqMjcoXR7g+7Q2z6LrC5RrzsCFUcElWFgBMVIM36 iy5zoX/fkXivU4B3qR8+gsrbrK8z9qRyPKzRPL3KjeAmEbmMcqOTCiVgAs2J19updo+v ++axDRvi8FLS3MqUgxTSKJQsGv9f2jc5lvDCAWHjGonTRHfYb7BAyUtS1Cqhm/k440I0 fqHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=fCUpujTf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mJmSJwUy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id y126-20020a62ce84000000b0068731f87218si3283531pfg.179.2023.08.11.05.15.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Aug 2023 05:15:37 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=fCUpujTf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mJmSJwUy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qUR2u-0001CA-Pd; Fri, 11 Aug 2023 12:15:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qUR2t-0001C2-Ay for openvpn-devel@lists.sourceforge.net; Fri, 11 Aug 2023 12:15:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1tLxX20U+v1ZiK6Cwra17JqhUayUlE7XUo+RSZGkrkg=; b=fCUpujTfTPK+jcpzlQ+qODt0Yk c3VVHmjJ2AFWkOrNSbedqiXUWyK9nOBODr6ZDPWXK6fou7D0LAc1Q8OTfPYtqYHzsMOk9BuSvfMsN UBRWvVKBjcrAffYtgkcfUUz+nh6skzynXPc00ABvv49pL1+DDplZ39xnuyf010Xravz4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1tLxX20U+v1ZiK6Cwra17JqhUayUlE7XUo+RSZGkrkg=; b=mJmSJwUy0BHuO2F4A5ntqWP4Zd DGYdajhJ+bzl1W7a108TOfsohF0SU09qQyyqfA8/FPi38+Su+hYivUQO7DbNMz4AtPh/rN7JSfrq2 p8IiOeu1tveJlke8U0WzMRwwzV38oCNX4N7YvqrkVXeq2ekfFX0tTwbvZcjWX2qvAx3Q=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qUR2s-0003IS-KK for openvpn-devel@lists.sourceforge.net; Fri, 11 Aug 2023 12:15:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qUR2l-00001f-84 for openvpn-devel@lists.sourceforge.net; Fri, 11 Aug 2023 14:15:03 +0200 Received: (nullmailer pid 4159135 invoked by uid 10006); Fri, 11 Aug 2023 12:15:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 11 Aug 2023 14:15:03 +0200 Message-Id: <20230811121503.4159089-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230707185811.30132-1-arne@rfc2549.org> References: <20230707185811.30132-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This also shows the extra data from the OpenSSL error function that can contain extra information. For example, the command openvpn --providers vollbit will print out (on macOS): Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1qUR2s-0003IS-KK Subject: [Openvpn-devel] [PATCH v2] show extra info for OpenSSL errors X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1770789376092912483?= X-GMAIL-MSGID: =?utf-8?q?1773934884035617951?= This also shows the extra data from the OpenSSL error function that can contain extra information. For example, the command openvpn --providers vollbit will print out (on macOS): OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file) Patch v2: Format message more like current messages Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80 Signed-off-by: Arne Schwabe Acked-by: Selva Nair --- src/openvpn/crypto_openssl.c | 21 +++++++++++++++++++-- src/openvpn/openssl_compat.h | 12 ++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b043bb95e..22c6d6840 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -238,9 +238,16 @@ void crypto_print_openssl_errors(const unsigned int flags) { unsigned long err = 0; + int line, errflags; + const char *file, *data, *func; - while ((err = ERR_get_error())) + while ((err = ERR_get_error_all(&file, &line, &func, &data, &errflags)) != 0) { + if (!(errflags & ERR_TXT_STRING)) + { + data = ""; + } + /* Be more clear about frequently occurring "no shared cipher" error */ if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) { @@ -258,7 +265,17 @@ crypto_print_openssl_errors(const unsigned int flags) "tls-version-min 1.0 to the client configuration to use TLS 1.0+ " "instead of TLS 1.0 only"); } - msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL)); + + /* print file and line if verb >=8 */ + if (!check_debug_level(D_TLS_DEBUG_MED)) + { + msg(flags, "OpenSSL: %s:%s", ERR_error_string(err, NULL), data); + } + else + { + msg(flags, "OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL), + data, file, line, func); + } } } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index ffb64adf6..736ce1bd5 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -43,6 +43,7 @@ #include #include #include +#include /* Functionality missing in 1.1.0 */ #if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL) @@ -799,6 +800,17 @@ EVP_MD_free(const EVP_MD *md) /* OpenSSL 1.1.1 and lower use only const EVP_MD, nothing to free */ } +static inline unsigned long +ERR_get_error_all(const char **file, int *line, + const char **func, + const char **data, int *flags) +{ + static const char *empty = ""; + *func = empty; + long err = ERR_get_error_line_data(file, line, data, flags); + return err; +} + #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ #endif /* OPENSSL_COMPAT_H_ */