isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

If ERR_reason_error_string() returns NULL, fall back on strerror(errno).

Browse Source 
That way we get reasonable error messages for missing files, etc.
This commit is contained in:
Todd C. Miller
2022-05-17 09:18:03 -06:00
parent 3ba807b70f
commit d7df7abf87
6 changed files with 80 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
logsrvd/logsrvd.c
View File

@@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -917,7 +917,8 @@ server_msg_cb(int fd, int what, void *v)
goto finished;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("%s: SSL_write: %s", closure->ipaddr, errstr);
sudo_warnx("%s: SSL_write: %s", closure->ipaddr,
errstr ? errstr : strerror(errno));
goto finished;
}
}
@@ -1027,7 +1028,8 @@ client_msg_cb(int fd, int what, void *v)
goto close_connection;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("%s: SSL_read: %s", closure->ipaddr, errstr);
sudo_warnx("%s: SSL_read: %s", closure->ipaddr,
errstr ? errstr : strerror(errno));
goto close_connection;
}
}
@@ -1331,7 +1333,8 @@ tls_handshake_cb(int fd, int what, void *v)
goto bad;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("%s: SSL_accept: %s", closure->ipaddr, errstr);
sudo_warnx("%s: SSL_accept: %s", closure->ipaddr,
errstr ? errstr : strerror(errno));
goto bad;
}
@@ -1397,13 +1400,15 @@ new_connection(int sock, bool tls, const struct sockaddr *sa,
/* Create the SSL object for the closure and attach it to the socket */
if ((closure->ssl = SSL_new(logsrvd_server_tls_ctx())) == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), "SSL_new", errstr);
sudo_warnx(U_("%s: %s"), "SSL_new",
errstr ? errstr : strerror(errno));
goto bad;
}
if (SSL_set_fd(closure->ssl, closure->sock) != 1) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), "SSL_set_fd", errstr);
sudo_warnx(U_("%s: %s"), "SSL_set_fd",
errstr ? errstr : strerror(errno));
goto bad;
}
@@ -1413,7 +1418,7 @@ new_connection(int sock, bool tls, const struct sockaddr *sa,
if (SSL_set_ex_data(closure->ssl, 1, closure) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("Unable to attach user data to the ssl object: %s"),
errstr);
errstr ? errstr : strerror(errno));
goto bad;
}

11
logsrvd/logsrvd_relay.c
View File

@@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -763,7 +763,8 @@ relay_server_msg_cb(int fd, int what, void *v)
closure->errstr = _("error reading from relay");
}
sudo_warnx("%s: SSL_read: %s",
relay_closure->relay_name.ipaddr, errstr);
relay_closure->relay_name.ipaddr,
errstr ? errstr : strerror(errno));
goto send_error;
case SSL_ERROR_SYSCALL:
if (nread == 0) {
@@ -778,7 +779,8 @@ relay_server_msg_cb(int fd, int what, void *v)
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("%s: SSL_read: %s",
relay_closure->relay_name.ipaddr, errstr);
relay_closure->relay_name.ipaddr,
errstr ? errstr : strerror(errno));
closure->errstr = _("error reading from relay");
goto send_error;
}
@@ -957,7 +959,8 @@ relay_client_msg_cb(int fd, int what, void *v)
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("%s: SSL_write: %s",
relay_closure->relay_name.ipaddr, errstr);
relay_closure->relay_name.ipaddr,
errstr ? errstr : strerror(errno));
closure->errstr = _("error writing to relay");
goto send_error;
}

10
logsrvd/sendlog.c
View File

@@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -1332,20 +1332,20 @@ server_msg_cb(int fd, int what, void *v)
#if !defined(HAVE_WOLFSSL)
if (closure->state == RECV_HELLO &&
ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
errstr = "host name does not match certificate";
errstr = U_("host name does not match certificate");
} else
#endif
{
errstr = ERR_reason_error_string(err);
}
sudo_warnx("%s", errstr);
sudo_warnx("%s", errstr ? errstr : strerror(errno));
goto bad;
case SSL_ERROR_SYSCALL:
sudo_warn("recv");
goto bad;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("recv: %s", errstr);
sudo_warnx("recv: %s", errstr ? errstr : strerror(errno));
goto bad;
}
}
@@ -1469,7 +1469,7 @@ client_msg_cb(int fd, int what, void *v)
goto bad;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("send: %s", errstr);
sudo_warnx("send: %s", errstr ? errstr : strerror(errno));
goto bad;
}
}

12
logsrvd/tls_client.c
View File

@@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -153,7 +153,8 @@ tls_connect_cb(int sock, int what, void *v)
goto bad;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("TLS connection failed: %s"), errstr);
sudo_warnx(U_("TLS connection failed: %s"),
errstr ? errstr : strerror(errno));
goto bad;
}
}
@@ -187,21 +188,22 @@ tls_ctx_client_setup(SSL_CTX *ssl_ctx, int sock,
if ((closure->ssl = SSL_new(ssl_ctx)) == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to allocate ssl object: %s"), errstr);
sudo_warnx(U_("unable to allocate ssl object: %s"),
errstr ? errstr : strerror(errno));
goto done;
}
if (SSL_set_ex_data(closure->ssl, 1, closure->peer_name) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("Unable to attach user data to the ssl object: %s"),
errstr);
errstr ? errstr : strerror(errno));
goto done;
}
if (SSL_set_fd(closure->ssl, sock) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("Unable to attach socket to the ssl object: %s"),
errstr);
errstr ? errstr : strerror(errno));
goto done;
}

46
logsrvd/tls_init.c
View File

@@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -63,19 +63,22 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
if ((x509 = SSL_CTX_get0_certificate(ctx)) == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("SSL_CTX_get0_certificate: %s", errstr);
sudo_warnx("SSL_CTX_get0_certificate: %s",
errstr ? errstr : strerror(errno));
goto done;
}
if ((store_ctx = X509_STORE_CTX_new()) == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("X509_STORE_CTX_new: %s", errstr);
sudo_warnx("X509_STORE_CTX_new: %s",
errstr ? errstr : strerror(errno));
goto done;
}
if (!SSL_CTX_get0_chain_certs(ctx, &chain_certs)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("SSL_CTX_get0_chain_certs: %s", errstr);
sudo_warnx("SSL_CTX_get0_chain_certs: %s",
errstr ? errstr : strerror(errno));
goto done;
}
@@ -86,7 +89,8 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
if (!X509_STORE_CTX_init(store_ctx, ca_store, x509, chain_certs)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("X509_STORE_CTX_init: %s", errstr);
sudo_warnx("X509_STORE_CTX_init: %s",
errstr ? errstr : strerror(errno));
goto done;
}
@@ -125,7 +129,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
} else {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"),
ciphers_v12, errstr);
ciphers_v12, errstr ? errstr : strerror(errno));
}
}
if (!success) {
@@ -133,7 +137,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
if (SSL_CTX_set_cipher_list(ctx, DEFAULT_CIPHER_LST12) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"),
DEFAULT_CIPHER_LST12, errstr);
DEFAULT_CIPHER_LST12, errstr ? errstr : strerror(errno));
debug_return_bool(false);
} else {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
@@ -153,7 +157,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
} else {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"),
ciphers_v13, errstr);
ciphers_v13, errstr ? errstr : strerror(errno));
}
}
if (!success) {
@@ -161,7 +165,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
if (SSL_CTX_set_ciphersuites(ctx, DEFAULT_CIPHER_LST13) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"),
DEFAULT_CIPHER_LST13, errstr);
DEFAULT_CIPHER_LST13, errstr ? errstr : strerror(errno));
debug_return_bool(false);
} else {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
@@ -193,7 +197,7 @@ set_dhparams_bio(SSL_CTX *ctx, BIO *bio)
if (!ret) {
const char *errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to set diffie-hellman parameters: %s"),
errstr);
errstr ? errstr : strerror(errno));
EVP_PKEY_free(dhparams);
}
}
@@ -214,7 +218,7 @@ set_dhparams_bio(SSL_CTX *ctx, BIO *bio)
if (!ret) {
const char *errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to set diffie-hellman parameters: %s"),
errstr);
errstr ? errstr : strerror(errno));
DH_free(dhparams);
}
}
@@ -269,14 +273,15 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
/* Create the ssl context and enforce TLS 1.2 or higher. */
if ((ctx = SSL_CTX_new(TLS_method())) == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to create TLS context: %s"), errstr);
sudo_warnx(U_("unable to create TLS context: %s"),
errstr ? errstr : strerror(errno));
goto bad;
}
#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("unable to set minimum protocol version to TLS 1.2: %s"),
errstr);
errstr ? errstr : strerror(errno));
goto bad;
}
#else
@@ -290,20 +295,23 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
if (cacerts == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), ca_bundle_file, errstr);
sudo_warnx(U_("%s: %s"), ca_bundle_file,
errstr ? errstr : strerror(errno));
goto bad;
}
SSL_CTX_set_client_CA_list(ctx, cacerts);
if (SSL_CTX_load_verify_locations(ctx, ca_bundle_file, NULL) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("SSL_CTX_load_verify_locations: %s", errstr);
sudo_warnx("SSL_CTX_load_verify_locations: %s",
errstr ? errstr : strerror(errno));
goto bad;
}
} else {
if (!SSL_CTX_set_default_verify_paths(ctx)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr);
sudo_warnx("SSL_CTX_set_default_verify_paths: %s",
errstr ? errstr : strerror(errno));
goto bad;
}
}
@@ -311,7 +319,8 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
if (cert_file != NULL) {
if (!SSL_CTX_use_certificate_chain_file(ctx, cert_file)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), cert_file, errstr);
sudo_warnx(U_("%s: %s"), cert_file,
errstr ? errstr : strerror(errno));
goto bad;
}
if (key_file == NULL) {
@@ -321,7 +330,8 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
if (!SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) ||
!SSL_CTX_check_private_key(ctx)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), key_file, errstr);
sudo_warnx(U_("%s: %s"), key_file,
errstr ? errstr : strerror(errno));
goto bad;
}

35
plugins/sudoers/log_client.c
View File

@@ -197,14 +197,16 @@ tls_init(struct client_closure *closure)
/* Create the ssl context and enforce TLS 1.2 or higher. */
if ((closure->ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("Creation of new SSL_CTX object failed: %s"), errstr);
sudo_warnx(U_("Creation of new SSL_CTX object failed: %s"),
errstr ? errstr : strerror(errno));
goto bad;
}
#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
if (!SSL_CTX_set_min_proto_version(closure->ssl_ctx, TLS1_2_VERSION)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to restrict min. protocol version: %s", errstr);
"unable to restrict min. protocol version: %s",
errstr ? errstr : strerror(errno));
goto bad;
}
#else
@@ -219,7 +221,7 @@ tls_init(struct client_closure *closure)
closure->log_details->ca_bundle, NULL) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), closure->log_details->ca_bundle,
errstr);
errstr ? errstr : strerror(errno));
sudo_warnx(U_("unable to load certificate authority bundle %s"),
closure->log_details->ca_bundle);
goto bad;
@@ -227,7 +229,8 @@ tls_init(struct client_closure *closure)
} else {
if (!SSL_CTX_set_default_verify_paths(closure->ssl_ctx)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr);
sudo_warnx("SSL_CTX_set_default_verify_paths: %s",
errstr ? errstr : strerror(errno));
goto bad;
}
}
@@ -239,7 +242,8 @@ tls_init(struct client_closure *closure)
if (!SSL_CTX_use_certificate_chain_file(closure->ssl_ctx,
closure->log_details->cert_file)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), closure->log_details->cert_file, errstr);
sudo_warnx(U_("%s: %s"), closure->log_details->cert_file,
errstr ? errstr : strerror(errno));
sudo_warnx(U_("unable to load certificate %s"),
closure->log_details->cert_file);
goto bad;
@@ -252,7 +256,8 @@ tls_init(struct client_closure *closure)
closure->log_details->key_file, SSL_FILETYPE_PEM) ||
!SSL_CTX_check_private_key(closure->ssl_ctx)) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("%s: %s"), closure->log_details->key_file, errstr);
sudo_warnx(U_("%s: %s"), closure->log_details->key_file,
errstr ? errstr : strerror(errno));
sudo_warnx(U_("unable to load private key %s"),
closure->log_details->key_file);
goto bad;
@@ -262,13 +267,14 @@ tls_init(struct client_closure *closure)
/* Create the SSL object and attach the closure. */
if ((closure->ssl = SSL_new(closure->ssl_ctx)) == NULL) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("Unable to allocate ssl object: %s"), errstr);
sudo_warnx(U_("Unable to allocate ssl object: %s"),
errstr ? errstr : strerror(errno));
goto bad;
}
if (SSL_set_ex_data(closure->ssl, 1, closure) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("Unable to attach user data to the ssl object: %s"),
errstr);
errstr ? errstr : strerror(errno));
goto bad;
}
@@ -356,7 +362,8 @@ tls_connect_cb(int sock, int what, void *v)
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx(U_("TLS connection to %s:%s failed: %s"),
closure->host, closure->port, errstr);
closure->host, closure->port,
errstr ? errstr : strerror(errno));
goto bad;
}
}
@@ -1755,13 +1762,13 @@ server_msg_cb(int fd, int what, void *v)
#if !defined(HAVE_WOLFSSL)
if (closure->state == RECV_HELLO &&
ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
errstr = "host name does not match certificate";
errstr = U_("host name does not match certificate");
} else
#endif
{
errstr = ERR_reason_error_string(err);
}
sudo_warnx("%s", errstr);
sudo_warnx("%s", errstr ? errstr : strerror(errno));
goto bad;
case SSL_ERROR_SYSCALL:
if (nread == 0)
@@ -1771,7 +1778,7 @@ server_msg_cb(int fd, int what, void *v)
goto bad;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("recv: %s", errstr);
sudo_warnx("recv: %s", errstr ? errstr : strerror(errno));
goto bad;
}
}
@@ -1899,14 +1906,14 @@ client_msg_cb(int fd, int what, void *v)
debug_return;
case SSL_ERROR_SSL:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("%s", errstr);
sudo_warnx("%s", errstr ? errstr : strerror(errno));
goto bad;
case SSL_ERROR_SYSCALL:
sudo_warn("send");
goto bad;
default:
errstr = ERR_reason_error_string(ERR_get_error());
sudo_warnx("send: %s", errstr);
sudo_warnx("send: %s", errstr ? errstr : strerror(errno));
goto bad;
}
}