[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r9391: When logging TLS certificate and identity-related errors, sc (in tor/trunk: . src/or)



Author: nickm
Date: 2007-01-23 14:22:49 -0500 (Tue, 23 Jan 2007)
New Revision: 9391

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/or/connection_or.c
Log:
 r11277@catbus:  nickm | 2007-01-23 14:08:08 -0500
 When logging TLS certificate and identity-related errors, scrub IP addresses for incoming connections, and distinguish between incoming and outgoing connections in log messages.  Backport candidate.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r11277] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2007-01-23 19:22:46 UTC (rev 9390)
+++ tor/trunk/ChangeLog	2007-01-23 19:22:49 UTC (rev 9391)
@@ -43,6 +43,8 @@
       from at least half of the authorities.  This delays the first download
       slightly under pathological circumstances, but can prevent us from
       downloading a bunch of descriptors we don't need.
+    - Do not log IPs with TLS failures for incoming TLS connections.  (Fixes
+      bug 382.)
 
   o Minor features:
     - Check for addresses with invalid characters at the exit as well as at

Modified: tor/trunk/src/or/connection_or.c
===================================================================
--- tor/trunk/src/or/connection_or.c	2007-01-23 19:22:46 UTC (rev 9390)
+++ tor/trunk/src/or/connection_or.c	2007-01-23 19:22:49 UTC (rev 9391)
@@ -569,29 +569,33 @@
   char nickname[MAX_NICKNAME_LEN+1];
   or_options_t *options = get_options();
   int severity = server_mode(options) ? LOG_PROTOCOL_WARN : LOG_WARN;
+  int started_here = connection_or_nonopen_was_started_here(conn);
+  const char *safe_address =
+    started_here ? conn->_base.address : safe_str(conn->_base.address);
+  const char *peer_type = started_here ? "Router" : "Client or router";
 
   check_no_tls_errors();
   if (! tor_tls_peer_has_cert(conn->tls)) {
-    log_info(LD_PROTOCOL,"Peer (%s:%d) didn't send a cert! Closing.",
-             conn->_base.address, conn->_base.port);
+    log_info(LD_PROTOCOL,"%s (%s:%d) didn't send a cert! Closing.",
+             peer_type, safe_address, conn->_base.port);
     return -1;
   }
   check_no_tls_errors();
   if (tor_tls_get_peer_cert_nickname(severity, conn->tls, nickname,
                                      sizeof(nickname))) {
-    log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a "
+    log_fn(severity,LD_PROTOCOL,"%s (%s:%d) has a cert without a "
            "valid nickname. Closing.",
-           conn->_base.address, conn->_base.port);
+           peer_type, safe_address, conn->_base.port);
     return -1;
   }
   check_no_tls_errors();
-  log_debug(LD_OR, "Other side (%s:%d) claims to be router '%s'",
-            conn->_base.address, conn->_base.port, nickname);
+  log_debug(LD_OR, "%s (%s:%d) claims to be router '%s'",
+            peer_type, safe_address, conn->_base.port, nickname);
 
   if (tor_tls_verify(severity, conn->tls, &identity_rcvd) < 0) {
-    log_fn(severity,LD_OR,"Other side, which claims to be router '%s' (%s:%d),"
+    log_fn(severity,LD_OR,"%s which claims to be router '%s' (%s:%d),"
            " has a cert but it's invalid. Closing.",
-           nickname, conn->_base.address, conn->_base.port);
+           peer_type, nickname, safe_address, conn->_base.port);
     return -1;
   }
   check_no_tls_errors();
@@ -610,13 +614,13 @@
       router->is_named && /* make sure it's the right guy */
       memcmp(digest_rcvd, router->cache_info.identity_digest,DIGEST_LEN) !=0) {
     log_fn(severity, LD_OR,
-           "Identity key not as expected for router claiming to be "
+           "Identity key not as expected for peer claiming to be "
            "'%s' (%s:%d)",
-           nickname, conn->_base.address, conn->_base.port);
+           nickname, safe_address, conn->_base.port);
     return -1;
   }
 
-  if (connection_or_nonopen_was_started_here(conn)) {
+  if (started_here) {
     int as_advertised = 1;
     if (memcmp(digest_rcvd, conn->identity_digest, DIGEST_LEN)) {
       /* I was aiming for a particular digest. I didn't get it! */
@@ -656,7 +660,7 @@
  * then initialize conn from the information in router.
  *
  * If all is successful, call circuit_n_conn_done() to handle events
- * that have been pending on the tls handshake completion. Also set the
+ * that have been pending on the <tls handshake completion. Also set the
  * directory to be dirty (only matters if I'm an authdirserver).
  */
 static int