ac3a84
From 57bdd8a488d544282dcc71e6a23987ded71ac64d Mon Sep 17 00:00:00 2001
ac3a84
From: Benjamin Fogle <benfogle@gmail.com>
ac3a84
Date: Thu, 17 Nov 2022 09:52:50 -0500
ac3a84
Subject: [PATCH] resolved: Fix OpenSSL error messages
ac3a84
ac3a84
(cherry picked from commit f4a49d1c58578cb8d759dc6266a23d1acabdc38f)
ac3a84
ac3a84
Related: #2138081
ac3a84
---
ac3a84
 src/resolve/resolved-dnstls-openssl.c | 65 +++++++++++----------------
ac3a84
 1 file changed, 26 insertions(+), 39 deletions(-)
ac3a84
ac3a84
diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c
ac3a84
index 4d3a88c8da..4a0132ad3d 100644
ac3a84
--- a/src/resolve/resolved-dnstls-openssl.c
ac3a84
+++ b/src/resolve/resolved-dnstls-openssl.c
ac3a84
@@ -14,6 +14,19 @@
ac3a84
 #include "resolved-dnstls.h"
ac3a84
 #include "resolved-manager.h"
ac3a84
 
ac3a84
+static char *dnstls_error_string(int ssl_error, char *buf, size_t count) {
ac3a84
+        assert(buf || count == 0);
ac3a84
+        if (ssl_error == SSL_ERROR_SSL)
ac3a84
+                ERR_error_string_n(ERR_get_error(), buf, count);
ac3a84
+        else
ac3a84
+                snprintf(buf, count, "SSL_get_error()=%d", ssl_error);
ac3a84
+        return buf;
ac3a84
+}
ac3a84
+
ac3a84
+#define DNSTLS_ERROR_BUFSIZE 256
ac3a84
+#define DNSTLS_ERROR_STRING(error) \
ac3a84
+        dnstls_error_string((error), (char[DNSTLS_ERROR_BUFSIZE]){}, DNSTLS_ERROR_BUFSIZE)
ac3a84
+
ac3a84
 static int dnstls_flush_write_buffer(DnsStream *stream) {
ac3a84
         ssize_t ss;
ac3a84
 
ac3a84
@@ -97,26 +110,18 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
ac3a84
 
ac3a84
         if (server->server_name) {
ac3a84
                 r = SSL_set_tlsext_host_name(s, server->server_name);
ac3a84
-                if (r <= 0) {
ac3a84
-                        char errbuf[256];
ac3a84
-
ac3a84
-                        error = ERR_get_error();
ac3a84
-                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
ac3a84
-                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", errbuf);
ac3a84
-                }
ac3a84
+                if (r <= 0)
ac3a84
+                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
ac3a84
+                                               "Failed to set server name: %s", DNSTLS_ERROR_STRING(SSL_ERROR_SSL));
ac3a84
         }
ac3a84
 
ac3a84
         ERR_clear_error();
ac3a84
         stream->dnstls_data.handshake = SSL_do_handshake(s);
ac3a84
         if (stream->dnstls_data.handshake <= 0) {
ac3a84
                 error = SSL_get_error(s, stream->dnstls_data.handshake);
ac3a84
-                if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
ac3a84
-                        char errbuf[256];
ac3a84
-
ac3a84
-                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
ac3a84
+                if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE))
ac3a84
                         return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
ac3a84
-                                               "Failed to invoke SSL_do_handshake: %s", errbuf);
ac3a84
-                }
ac3a84
+                                               "Failed to invoke SSL_do_handshake: %s", DNSTLS_ERROR_STRING(error));
ac3a84
         }
ac3a84
 
ac3a84
         stream->encrypted = true;
ac3a84
@@ -177,12 +182,8 @@ int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
ac3a84
                         } else if (error == SSL_ERROR_SYSCALL) {
ac3a84
                                 if (errno > 0)
ac3a84
                                         log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
ac3a84
-                        } else {
ac3a84
-                                char errbuf[256];
ac3a84
-
ac3a84
-                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
ac3a84
-                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
ac3a84
-                        }
ac3a84
+                        } else
ac3a84
+                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", DNSTLS_ERROR_STRING(error));
ac3a84
                 }
ac3a84
 
ac3a84
                 stream->dnstls_events = 0;
ac3a84
@@ -206,14 +207,10 @@ int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
ac3a84
                                         return r;
ac3a84
 
ac3a84
                                 return -EAGAIN;
ac3a84
-                        } else {
ac3a84
-                                char errbuf[256];
ac3a84
-
ac3a84
-                                ERR_error_string_n(error, errbuf, sizeof(errbuf));
ac3a84
+                        } else
ac3a84
                                 return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
ac3a84
                                                        "Failed to invoke SSL_do_handshake: %s",
ac3a84
-                                                       errbuf);
ac3a84
-                        }
ac3a84
+                                                       DNSTLS_ERROR_STRING(error));
ac3a84
                 }
ac3a84
 
ac3a84
                 stream->dnstls_events = 0;
ac3a84
@@ -275,12 +272,8 @@ int dnstls_stream_shutdown(DnsStream *stream, int error) {
ac3a84
                         } else if (ssl_error == SSL_ERROR_SYSCALL) {
ac3a84
                                 if (errno > 0)
ac3a84
                                         log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
ac3a84
-                        } else {
ac3a84
-                                char errbuf[256];
ac3a84
-
ac3a84
-                                ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
ac3a84
-                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
ac3a84
-                        }
ac3a84
+                        } else
ac3a84
+                                log_debug("Failed to invoke SSL_shutdown, ignoring: %s", DNSTLS_ERROR_STRING(ssl_error));
ac3a84
                 }
ac3a84
 
ac3a84
                 stream->dnstls_events = 0;
ac3a84
@@ -307,10 +300,7 @@ static ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t co
ac3a84
                         stream->dnstls_events = 0;
ac3a84
                         ss = 0;
ac3a84
                 } else {
ac3a84
-                        char errbuf[256];
ac3a84
-
ac3a84
-                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
ac3a84
-                        log_debug("Failed to invoke SSL_write: %s", errbuf);
ac3a84
+                        log_debug("Failed to invoke SSL_write: %s", DNSTLS_ERROR_STRING(error));
ac3a84
                         stream->dnstls_events = 0;
ac3a84
                         ss = -EPIPE;
ac3a84
                 }
ac3a84
@@ -375,10 +365,7 @@ ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
ac3a84
                         stream->dnstls_events = 0;
ac3a84
                         ss = 0;
ac3a84
                 } else {
ac3a84
-                        char errbuf[256];
ac3a84
-
ac3a84
-                        ERR_error_string_n(error, errbuf, sizeof(errbuf));
ac3a84
-                        log_debug("Failed to invoke SSL_read: %s", errbuf);
ac3a84
+                        log_debug("Failed to invoke SSL_read: %s", DNSTLS_ERROR_STRING(error));
ac3a84
                         stream->dnstls_events = 0;
ac3a84
                         ss = -EPIPE;
ac3a84
                 }