From d7df7abf875b1427c77f609e4a809032324ede2a Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 17 May 2022 09:18:03 -0600 Subject: [PATCH] If ERR_reason_error_string() returns NULL, fall back on strerror(errno). That way we get reasonable error messages for missing files, etc. --- logsrvd/logsrvd.c | 19 +++++++++------ logsrvd/logsrvd_relay.c | 11 +++++---- logsrvd/sendlog.c | 10 ++++---- logsrvd/tls_client.c | 12 ++++++---- logsrvd/tls_init.c | 46 ++++++++++++++++++++++-------------- plugins/sudoers/log_client.c | 35 ++++++++++++++++----------- 6 files changed, 80 insertions(+), 53 deletions(-) diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c index 5a412e50b..097a4aa36 100644 --- a/logsrvd/logsrvd.c +++ b/logsrvd/logsrvd.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2019-2021 Todd C. Miller + * Copyright (c) 2019-2022 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -917,7 +917,8 @@ server_msg_cb(int fd, int what, void *v) goto finished; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("%s: SSL_write: %s", closure->ipaddr, errstr); + sudo_warnx("%s: SSL_write: %s", closure->ipaddr, + errstr ? errstr : strerror(errno)); goto finished; } } @@ -1027,7 +1028,8 @@ client_msg_cb(int fd, int what, void *v) goto close_connection; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("%s: SSL_read: %s", closure->ipaddr, errstr); + sudo_warnx("%s: SSL_read: %s", closure->ipaddr, + errstr ? errstr : strerror(errno)); goto close_connection; } } @@ -1331,7 +1333,8 @@ tls_handshake_cb(int fd, int what, void *v) goto bad; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("%s: SSL_accept: %s", closure->ipaddr, errstr); + sudo_warnx("%s: SSL_accept: %s", closure->ipaddr, + errstr ? errstr : strerror(errno)); goto bad; } @@ -1397,13 +1400,15 @@ new_connection(int sock, bool tls, const struct sockaddr *sa, /* Create the SSL object for the closure and attach it to the socket */ if ((closure->ssl = SSL_new(logsrvd_server_tls_ctx())) == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("%s: %s"), "SSL_new", errstr); + sudo_warnx(U_("%s: %s"), "SSL_new", + errstr ? errstr : strerror(errno)); goto bad; } if (SSL_set_fd(closure->ssl, closure->sock) != 1) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("%s: %s"), "SSL_set_fd", errstr); + sudo_warnx(U_("%s: %s"), "SSL_set_fd", + errstr ? errstr : strerror(errno)); goto bad; } @@ -1413,7 +1418,7 @@ new_connection(int sock, bool tls, const struct sockaddr *sa, if (SSL_set_ex_data(closure->ssl, 1, closure) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("Unable to attach user data to the ssl object: %s"), - errstr); + errstr ? errstr : strerror(errno)); goto bad; } diff --git a/logsrvd/logsrvd_relay.c b/logsrvd/logsrvd_relay.c index abba74e84..77695d2b2 100644 --- a/logsrvd/logsrvd_relay.c +++ b/logsrvd/logsrvd_relay.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2019-2021 Todd C. Miller + * Copyright (c) 2019-2022 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -763,7 +763,8 @@ relay_server_msg_cb(int fd, int what, void *v) closure->errstr = _("error reading from relay"); } sudo_warnx("%s: SSL_read: %s", - relay_closure->relay_name.ipaddr, errstr); + relay_closure->relay_name.ipaddr, + errstr ? errstr : strerror(errno)); goto send_error; case SSL_ERROR_SYSCALL: if (nread == 0) { @@ -778,7 +779,8 @@ relay_server_msg_cb(int fd, int what, void *v) default: errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx("%s: SSL_read: %s", - relay_closure->relay_name.ipaddr, errstr); + relay_closure->relay_name.ipaddr, + errstr ? errstr : strerror(errno)); closure->errstr = _("error reading from relay"); goto send_error; } @@ -957,7 +959,8 @@ relay_client_msg_cb(int fd, int what, void *v) default: errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx("%s: SSL_write: %s", - relay_closure->relay_name.ipaddr, errstr); + relay_closure->relay_name.ipaddr, + errstr ? errstr : strerror(errno)); closure->errstr = _("error writing to relay"); goto send_error; } diff --git a/logsrvd/sendlog.c b/logsrvd/sendlog.c index f0710563b..eaed31331 100644 --- a/logsrvd/sendlog.c +++ b/logsrvd/sendlog.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2019-2021 Todd C. Miller + * Copyright (c) 2019-2022 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -1332,20 +1332,20 @@ server_msg_cb(int fd, int what, void *v) #if !defined(HAVE_WOLFSSL) if (closure->state == RECV_HELLO && ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) { - errstr = "host name does not match certificate"; + errstr = U_("host name does not match certificate"); } else #endif { errstr = ERR_reason_error_string(err); } - sudo_warnx("%s", errstr); + sudo_warnx("%s", errstr ? errstr : strerror(errno)); goto bad; case SSL_ERROR_SYSCALL: sudo_warn("recv"); goto bad; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("recv: %s", errstr); + sudo_warnx("recv: %s", errstr ? errstr : strerror(errno)); goto bad; } } @@ -1469,7 +1469,7 @@ client_msg_cb(int fd, int what, void *v) goto bad; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("send: %s", errstr); + sudo_warnx("send: %s", errstr ? errstr : strerror(errno)); goto bad; } } diff --git a/logsrvd/tls_client.c b/logsrvd/tls_client.c index 210ff8b26..9be07fd2a 100644 --- a/logsrvd/tls_client.c +++ b/logsrvd/tls_client.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2019-2021 Todd C. Miller + * Copyright (c) 2019-2022 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -153,7 +153,8 @@ tls_connect_cb(int sock, int what, void *v) goto bad; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("TLS connection failed: %s"), errstr); + sudo_warnx(U_("TLS connection failed: %s"), + errstr ? errstr : strerror(errno)); goto bad; } } @@ -187,21 +188,22 @@ tls_ctx_client_setup(SSL_CTX *ssl_ctx, int sock, if ((closure->ssl = SSL_new(ssl_ctx)) == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("unable to allocate ssl object: %s"), errstr); + sudo_warnx(U_("unable to allocate ssl object: %s"), + errstr ? errstr : strerror(errno)); goto done; } if (SSL_set_ex_data(closure->ssl, 1, closure->peer_name) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("Unable to attach user data to the ssl object: %s"), - errstr); + errstr ? errstr : strerror(errno)); goto done; } if (SSL_set_fd(closure->ssl, sock) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("Unable to attach socket to the ssl object: %s"), - errstr); + errstr ? errstr : strerror(errno)); goto done; } diff --git a/logsrvd/tls_init.c b/logsrvd/tls_init.c index 55e54520a..a13d04fed 100644 --- a/logsrvd/tls_init.c +++ b/logsrvd/tls_init.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 2019-2021 Todd C. Miller + * Copyright (c) 2019-2022 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -63,19 +63,22 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file) if ((x509 = SSL_CTX_get0_certificate(ctx)) == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("SSL_CTX_get0_certificate: %s", errstr); + sudo_warnx("SSL_CTX_get0_certificate: %s", + errstr ? errstr : strerror(errno)); goto done; } if ((store_ctx = X509_STORE_CTX_new()) == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("X509_STORE_CTX_new: %s", errstr); + sudo_warnx("X509_STORE_CTX_new: %s", + errstr ? errstr : strerror(errno)); goto done; } if (!SSL_CTX_get0_chain_certs(ctx, &chain_certs)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("SSL_CTX_get0_chain_certs: %s", errstr); + sudo_warnx("SSL_CTX_get0_chain_certs: %s", + errstr ? errstr : strerror(errno)); goto done; } @@ -86,7 +89,8 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file) if (!X509_STORE_CTX_init(store_ctx, ca_store, x509, chain_certs)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("X509_STORE_CTX_init: %s", errstr); + sudo_warnx("X509_STORE_CTX_init: %s", + errstr ? errstr : strerror(errno)); goto done; } @@ -125,7 +129,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12, } else { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"), - ciphers_v12, errstr); + ciphers_v12, errstr ? errstr : strerror(errno)); } } if (!success) { @@ -133,7 +137,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12, if (SSL_CTX_set_cipher_list(ctx, DEFAULT_CIPHER_LST12) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"), - DEFAULT_CIPHER_LST12, errstr); + DEFAULT_CIPHER_LST12, errstr ? errstr : strerror(errno)); debug_return_bool(false); } else { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, @@ -153,7 +157,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12, } else { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"), - ciphers_v13, errstr); + ciphers_v13, errstr ? errstr : strerror(errno)); } } if (!success) { @@ -161,7 +165,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12, if (SSL_CTX_set_ciphersuites(ctx, DEFAULT_CIPHER_LST13) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"), - DEFAULT_CIPHER_LST13, errstr); + DEFAULT_CIPHER_LST13, errstr ? errstr : strerror(errno)); debug_return_bool(false); } else { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, @@ -193,7 +197,7 @@ set_dhparams_bio(SSL_CTX *ctx, BIO *bio) if (!ret) { const char *errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("unable to set diffie-hellman parameters: %s"), - errstr); + errstr ? errstr : strerror(errno)); EVP_PKEY_free(dhparams); } } @@ -214,7 +218,7 @@ set_dhparams_bio(SSL_CTX *ctx, BIO *bio) if (!ret) { const char *errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("unable to set diffie-hellman parameters: %s"), - errstr); + errstr ? errstr : strerror(errno)); DH_free(dhparams); } } @@ -269,14 +273,15 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file, /* Create the ssl context and enforce TLS 1.2 or higher. */ if ((ctx = SSL_CTX_new(TLS_method())) == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("unable to create TLS context: %s"), errstr); + sudo_warnx(U_("unable to create TLS context: %s"), + errstr ? errstr : strerror(errno)); goto bad; } #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("unable to set minimum protocol version to TLS 1.2: %s"), - errstr); + errstr ? errstr : strerror(errno)); goto bad; } #else @@ -290,20 +295,23 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file, if (cacerts == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("%s: %s"), ca_bundle_file, errstr); + sudo_warnx(U_("%s: %s"), ca_bundle_file, + errstr ? errstr : strerror(errno)); goto bad; } SSL_CTX_set_client_CA_list(ctx, cacerts); if (SSL_CTX_load_verify_locations(ctx, ca_bundle_file, NULL) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("SSL_CTX_load_verify_locations: %s", errstr); + sudo_warnx("SSL_CTX_load_verify_locations: %s", + errstr ? errstr : strerror(errno)); goto bad; } } else { if (!SSL_CTX_set_default_verify_paths(ctx)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr); + sudo_warnx("SSL_CTX_set_default_verify_paths: %s", + errstr ? errstr : strerror(errno)); goto bad; } } @@ -311,7 +319,8 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file, if (cert_file != NULL) { if (!SSL_CTX_use_certificate_chain_file(ctx, cert_file)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("%s: %s"), cert_file, errstr); + sudo_warnx(U_("%s: %s"), cert_file, + errstr ? errstr : strerror(errno)); goto bad; } if (key_file == NULL) { @@ -321,7 +330,8 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file, if (!SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("%s: %s"), key_file, errstr); + sudo_warnx(U_("%s: %s"), key_file, + errstr ? errstr : strerror(errno)); goto bad; } diff --git a/plugins/sudoers/log_client.c b/plugins/sudoers/log_client.c index 0d9c6c0d7..024f7a5fe 100644 --- a/plugins/sudoers/log_client.c +++ b/plugins/sudoers/log_client.c @@ -197,14 +197,16 @@ tls_init(struct client_closure *closure) /* Create the ssl context and enforce TLS 1.2 or higher. */ if ((closure->ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("Creation of new SSL_CTX object failed: %s"), errstr); + sudo_warnx(U_("Creation of new SSL_CTX object failed: %s"), + errstr ? errstr : strerror(errno)); goto bad; } #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION if (!SSL_CTX_set_min_proto_version(closure->ssl_ctx, TLS1_2_VERSION)) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to restrict min. protocol version: %s", errstr); + "unable to restrict min. protocol version: %s", + errstr ? errstr : strerror(errno)); goto bad; } #else @@ -219,7 +221,7 @@ tls_init(struct client_closure *closure) closure->log_details->ca_bundle, NULL) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("%s: %s"), closure->log_details->ca_bundle, - errstr); + errstr ? errstr : strerror(errno)); sudo_warnx(U_("unable to load certificate authority bundle %s"), closure->log_details->ca_bundle); goto bad; @@ -227,7 +229,8 @@ tls_init(struct client_closure *closure) } else { if (!SSL_CTX_set_default_verify_paths(closure->ssl_ctx)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr); + sudo_warnx("SSL_CTX_set_default_verify_paths: %s", + errstr ? errstr : strerror(errno)); goto bad; } } @@ -239,7 +242,8 @@ tls_init(struct client_closure *closure) if (!SSL_CTX_use_certificate_chain_file(closure->ssl_ctx, closure->log_details->cert_file)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("%s: %s"), closure->log_details->cert_file, errstr); + sudo_warnx(U_("%s: %s"), closure->log_details->cert_file, + errstr ? errstr : strerror(errno)); sudo_warnx(U_("unable to load certificate %s"), closure->log_details->cert_file); goto bad; @@ -252,7 +256,8 @@ tls_init(struct client_closure *closure) closure->log_details->key_file, SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(closure->ssl_ctx)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("%s: %s"), closure->log_details->key_file, errstr); + sudo_warnx(U_("%s: %s"), closure->log_details->key_file, + errstr ? errstr : strerror(errno)); sudo_warnx(U_("unable to load private key %s"), closure->log_details->key_file); goto bad; @@ -262,13 +267,14 @@ tls_init(struct client_closure *closure) /* Create the SSL object and attach the closure. */ if ((closure->ssl = SSL_new(closure->ssl_ctx)) == NULL) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("Unable to allocate ssl object: %s"), errstr); + sudo_warnx(U_("Unable to allocate ssl object: %s"), + errstr ? errstr : strerror(errno)); goto bad; } if (SSL_set_ex_data(closure->ssl, 1, closure) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("Unable to attach user data to the ssl object: %s"), - errstr); + errstr ? errstr : strerror(errno)); goto bad; } @@ -356,7 +362,8 @@ tls_connect_cb(int sock, int what, void *v) default: errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("TLS connection to %s:%s failed: %s"), - closure->host, closure->port, errstr); + closure->host, closure->port, + errstr ? errstr : strerror(errno)); goto bad; } } @@ -1755,13 +1762,13 @@ server_msg_cb(int fd, int what, void *v) #if !defined(HAVE_WOLFSSL) if (closure->state == RECV_HELLO && ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) { - errstr = "host name does not match certificate"; + errstr = U_("host name does not match certificate"); } else #endif { errstr = ERR_reason_error_string(err); } - sudo_warnx("%s", errstr); + sudo_warnx("%s", errstr ? errstr : strerror(errno)); goto bad; case SSL_ERROR_SYSCALL: if (nread == 0) @@ -1771,7 +1778,7 @@ server_msg_cb(int fd, int what, void *v) goto bad; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("recv: %s", errstr); + sudo_warnx("recv: %s", errstr ? errstr : strerror(errno)); goto bad; } } @@ -1899,14 +1906,14 @@ client_msg_cb(int fd, int what, void *v) debug_return; case SSL_ERROR_SSL: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("%s", errstr); + sudo_warnx("%s", errstr ? errstr : strerror(errno)); goto bad; case SSL_ERROR_SYSCALL: sudo_warn("send"); goto bad; default: errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx("send: %s", errstr); + sudo_warnx("send: %s", errstr ? errstr : strerror(errno)); goto bad; } }