diff options
| author | Arne Schwabe | 2023-08-11 14:15:03 +0200 |
|---|---|---|
| committer | Gert Doering | 2023-08-11 20:22:20 +0200 |
| commit | 101499a43d222dcefbf5c6fc6f8b71a4f5d1f533 (patch) | |
| tree | 23014c74274bd223201c8c1093f90faefc914311 | |
| parent | 09e2360a163077001fd33f2f338cf337b45b9ab6 (diff) | |
| download | openvpn-101499a43d222dcefbf5c6fc6f8b71a4f5d1f533.zip openvpn-101499a43d222dcefbf5c6fc6f8b71a4f5d1f533.tar.gz | |
show extra info for OpenSSL errors
This also shows the extra data from the OpenSSL error function that
can contain extra information. For example, the command
openvpn --providers vollbit
will print out (on macOS):
OpenSSL: error:12800067:DSO support routines::could not load the shared library:filename(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib): dlopen(/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib, 0x0002): tried: '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file), '/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules/vollbit.dylib' (no such file)
Patch v2: Format message more like current messages
Change-Id: Ic2ee89937dcd85721bcacd1b700a20c640364f80
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230811121503.4159089-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26929.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0f8485f2870277fb7ccdb4097380e35dc35b064e)
| -rw-r--r-- | src/openvpn/crypto_openssl.c | 21 | ||||
| -rw-r--r-- | src/openvpn/openssl_compat.h | 12 |
2 files changed, 31 insertions, 2 deletions
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index f5372f8..739cf4c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -240,9 +240,16 @@ void crypto_print_openssl_errors(const unsigned int flags) { unsigned long err = 0; + int line, errflags; + const char *file, *data, *func; - while ((err = ERR_get_error())) + while ((err = ERR_get_error_all(&file, &line, &func, &data, &errflags)) != 0) { + if (!(errflags & ERR_TXT_STRING)) + { + data = ""; + } + /* Be more clear about frequently occurring "no shared cipher" error */ if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) { @@ -260,7 +267,17 @@ crypto_print_openssl_errors(const unsigned int flags) "tls-version-min 1.0 to the client configuration to use TLS 1.0+ " "instead of TLS 1.0 only"); } - msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL)); + + /* print file and line if verb >=8 */ + if (!check_debug_level(D_TLS_DEBUG_MED)) + { + msg(flags, "OpenSSL: %s:%s", ERR_error_string(err, NULL), data); + } + else + { + msg(flags, "OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL), + data, file, line, func); + } } } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 56b1dcf..dd054ce 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -45,6 +45,7 @@ #include <openssl/rsa.h> #include <openssl/ssl.h> #include <openssl/x509.h> +#include <openssl/err.h> /* Functionality missing in 1.1.0 */ #if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL) @@ -801,6 +802,17 @@ EVP_MD_free(const EVP_MD *md) /* OpenSSL 1.1.1 and lower use only const EVP_MD, nothing to free */ } +static inline unsigned long +ERR_get_error_all(const char **file, int *line, + const char **func, + const char **data, int *flags) +{ + static const char *empty = ""; + *func = empty; + unsigned long err = ERR_get_error_line_data(file, line, data, flags); + return err; +} + #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ #endif /* OPENSSL_COMPAT_H_ */ |