Merge pull request bareos#2078

openssl: unify ssl error logging
sduehr · Jan 31, 2025 · 6f6cc93 · 6f6cc93
2 parents e5cf562 + 2ee780a
commit 6f6cc93
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - logrotate: add mtx-changer debug log config [PR #2039]
 - cmake: add cmake check whether tirpc is installed [PR #2109]
 - bconsole: require only one password in the configuration [PR #2116]
+- openssl: unify ssl error logging [PR #2078]
 
 [PR #2039]: https://github.com/bareos/bareos/pull/2039
 [PR #2040]: https://github.com/bareos/bareos/pull/2040
@@ -36,6 +37,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [PR #2067]: https://github.com/bareos/bareos/pull/2067
 [PR #2068]: https://github.com/bareos/bareos/pull/2068
 [PR #2076]: https://github.com/bareos/bareos/pull/2076
+[PR #2078]: https://github.com/bareos/bareos/pull/2078
 [PR #2079]: https://github.com/bareos/bareos/pull/2079
 [PR #2086]: https://github.com/bareos/bareos/pull/2086
 [PR #2102]: https://github.com/bareos/bareos/pull/2102

diff --git a/core/src/lib/crypto_openssl.cc b/core/src/lib/crypto_openssl.cc
@@ -2,7 +2,7 @@
    BAREOS® - Backup Archiving REcovery Open Sourced
 
    Copyright (C) 2005-2011 Free Software Foundation Europe e.V.
-   Copyright (C) 2013-2024 Bareos GmbH & Co. KG
+   Copyright (C) 2013-2025 Bareos GmbH & Co. KG
 
    This program is Free Software; you can redistribute it and/or
    modify it under the terms of version three of the GNU Affero General Public
@@ -48,6 +48,7 @@
 #    include <openssl/evp.h>
 #    include <iomanip>
 #    include <sstream>
+#    include <algorithm>
 
 
 /*
@@ -1756,4 +1757,40 @@ void OpensslCleanupThreads(void)
   CRYPTO_set_dynlock_destroy_callback(NULL);
 }
 
+void LogSSLError(int ssl_error)
+{
+  struct ssl_error_code {
+    int error_code;
+    int level;
+    const char* name;
+  };
+
+  static constexpr std::initializer_list<ssl_error_code> ssl_error_codes{
+      {SSL_ERROR_NONE, 1000, "no-error"},
+      {SSL_ERROR_SSL, 50, "ssl-error"},
+      {SSL_ERROR_WANT_READ, 500, "want-read"},
+      {SSL_ERROR_WANT_WRITE, 500, "want-write"},
+      {SSL_ERROR_WANT_X509_LOOKUP, 50, "want-x509-lookup"},
+      {SSL_ERROR_SYSCALL, 50, "syscall-error"},
+      {SSL_ERROR_ZERO_RETURN, 100, "zero-return-error"},
+      {SSL_ERROR_WANT_CONNECT, 100, "want-connect"},
+      {SSL_ERROR_WANT_ACCEPT, 100, "want-accept"},
+      {SSL_ERROR_WANT_ASYNC, 100, "want-async"},
+      {SSL_ERROR_WANT_ASYNC_JOB, 100, "want-async-job"},
+      {SSL_ERROR_WANT_CLIENT_HELLO_CB, 100, "want-client-hello-cb"},
+#  if defined(SSL_ERROR_WANT_RETRY_VERIFY)
+      {SSL_ERROR_WANT_RETRY_VERIFY, 100, "want-retry-verify"},
+#  endif
+  };
+
+  if (auto iter = std::find_if(
+          std::begin(ssl_error_codes), std::end(ssl_error_codes),
+          [ssl_error](const auto& val) { return val.error_code == ssl_error; });
+      iter != std::end(ssl_error_codes)) {
+    Dmsg1(iter->level, "SSL_get_error() returned %s\n", iter->name);
+    return;
+  }
+  Dmsg1(50, "SSL_get_error() returned unknown error value %d\n", ssl_error);
+}
+
 #endif /* HAVE_OPENSSL */
diff --git a/core/src/lib/crypto_openssl.h b/core/src/lib/crypto_openssl.h
@@ -1,7 +1,7 @@
 /*
    BAREOS® - Backup Archiving REcovery Open Sourced
 
-   Copyright (C) 2018-2024 Bareos GmbH & Co. KG
+   Copyright (C) 2018-2025 Bareos GmbH & Co. KG
 
    This program is Free Software; you can redistribute it and/or
    modify it under the terms of version three of the GNU Affero General Public
@@ -44,6 +44,9 @@ void OpensslPostErrors_impl(const char* file,
 int OpensslInitThreads(void);
 void OpensslCleanupThreads(void);
 DIGEST* OpensslDigestNew(JobControlRecord* jcr, crypto_digest_t type);
+
+void LogSSLError(int ssl_error);
+
 #endif /* HAVE_OPENSSL */
 
 #endif  // BAREOS_LIB_CRYPTO_OPENSSL_H_
diff --git a/core/src/lib/tls_openssl.cc b/core/src/lib/tls_openssl.cc
@@ -2,7 +2,7 @@
    BAREOS® - Backup Archiving REcovery Open Sourced
 
    Copyright (C) 2005-2010 Free Software Foundation Europe e.V.
-   Copyright (C) 2014-2024 Bareos GmbH & Co. KG
+   Copyright (C) 2014-2025 Bareos GmbH & Co. KG
 
    This program is Free Software; you can redistribute it and/or
    modify it under the terms of version three of the GNU Affero General Public
@@ -301,9 +301,7 @@ void TlsOpenSsl::TlsBsockShutdown(BareosSocket* bsock)
   }
 
   int ssl_error = SSL_get_error(d_->openssl_, err_shutdown);
-  if (ssl_error != SSL_ERROR_NONE) {
-    Dmsg1(50, "SSL_get_error() returned error value %d\n", ssl_error);
-  }
+  LogSSLError(ssl_error);
 
   /* There may be more errors on the thread-local error-queue.
    * As we just shutdown our context and looked at the errors that we were

diff --git a/core/src/lib/tls_openssl_private.cc b/core/src/lib/tls_openssl_private.cc
@@ -2,7 +2,7 @@
    BAREOS® - Backup Archiving REcovery Open Sourced
 
    Copyright (C) 2005-2010 Free Software Foundation Europe e.V.
-   Copyright (C) 2018-2024 Bareos GmbH & Co. KG
+   Copyright (C) 2018-2025 Bareos GmbH & Co. KG
 
    This program is Free Software; you can redistribute it and/or
    modify it under the terms of version three of the GNU Affero General Public
@@ -324,9 +324,7 @@ int TlsOpenSslPrivate::OpensslBsockReadwrite(BareosSocket* bsock,
     }
 
     int ssl_error = SSL_get_error(openssl_, nwritten);
-    if (ssl_error != SSL_ERROR_NONE) {
-      Dmsg1(50, "SSL_get_error() returned error value %d\n", ssl_error);
-    }
+    LogSSLError(ssl_error);
     switch (ssl_error) {
       case SSL_ERROR_NONE:
         nleft -= nwritten;
@@ -401,9 +399,7 @@ bool TlsOpenSslPrivate::OpensslBsockSessionStart(BareosSocket* bsock,
     }
 
     int ssl_error = SSL_get_error(openssl_, err_accept);
-    if (ssl_error != SSL_ERROR_NONE) {
-      Dmsg1(50, "SSL_get_error() returned error value %d\n", ssl_error);
-    }
+    LogSSLError(ssl_error);
     switch (ssl_error) {
       case SSL_ERROR_NONE:
         bsock->SetTlsEstablished();

diff --git a/core/src/tests/test_bpipe.cc b/core/src/tests/test_bpipe.cc
@@ -1,7 +1,7 @@
 /*
    BAREOS® - Backup Archiving REcovery Open Sourced
 
-   Copyright (C) 2024-2024 Bareos GmbH & Co. KG
+   Copyright (C) 2024-2025 Bareos GmbH & Co. KG
 
    This program is Free Software; you can redistribute it and/or
    modify it under the terms of version three of the GNU Affero General Public
@@ -128,7 +128,7 @@ TEST(bpipe, timeout)
   // even though we don't intend to write, we have to attach a pipe to our
   // childs stdin, otherwise it will inherit ours which might be closed and
   // would make `cat` exit immediately.
-  Bpipe* bp = OpenBpipe(TEST_PROGRAM " cat", 1, "rw");
+  Bpipe* bp = OpenBpipe(TEST_PROGRAM " cat", 5, "rw");
   ASSERT_THAT(bp, NotNull());
   ASSERT_THAT(bp->timer_id, NotNull());
   ASSERT_FALSE(bp->timer_id->killed);