[mod_gnutls] improve alert handling

* print alerts with numerical value * show non-fatal alerts * use log level info for all alerts * use log level warning for non-fatal "unknown" errors Change-Id: Ibaa33743bfe809579981fdeb121955ef5c6d0ab2
7 years ago · fc02dcf9e2
2 changed files with 31 additions and 19 deletions
--- a/include/lighttpd/log.h
+++ b/include/lighttpd/log.h
@ -16,8 +16,8 @@
 * Logs are sent once per event loop iteration to the logging thread in order to reduce syscalls and lock contention.
 */

-/* at least one of srv and wrk must not be NULL. log_map may be NULL. */
-#define _SEGFAULT(srv, wrk, log_map, fmt, ...) \
+/* at least one of srv and wrk must not be NULL. ctx may be NULL. */
+#define _SEGFAULT(srv, wrk, ctx, fmt, ...) \
 	do { \
 		li_log_write(srv, NULL, NULL, LI_LOG_LEVEL_ABORT, LI_LOG_FLAG_TIMESTAMP, "(crashing) %s:%d: %s " fmt, LI_REMOVE_PATH(__FILE__), __LINE__, G_STRFUNC, __VA_ARGS__); \
 		li_print_backtrace_stderr(); \
--- a/src/modules/gnutls_filter.c
+++ b/src/modules/gnutls_filter.c
@ -209,7 +209,7 @@ static void do_handle_error(liGnuTLSFilter *f, const char *gnutlsfunc, int r, gb
 	switch (r) {
 	case GNUTLS_E_AGAIN:
 		if (writing) f->write_wants_read = TRUE;
-		break;
+		return;
 	case GNUTLS_E_REHANDSHAKE:
 #ifdef HAVE_SAVE_RENEGOTIATION
 		if (f->initial_handshaked_finished && !gnutls_safe_renegotiation_status(f->session)) {
@ -224,35 +224,47 @@ static void do_handle_error(liGnuTLSFilter *f, const char *gnutlsfunc, int r, gb
 			f_close_with_alert(f, r);
 		}
 #endif
-		break;
+		return;
 	case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
 		f_close_with_alert(f, r);
-		break;
+		return;
 	case GNUTLS_E_UNKNOWN_CIPHER_SUITE:
 	case GNUTLS_E_UNSUPPORTED_VERSION_PACKET:
 		_DEBUG(f->srv, f->wrk, f->log_context, "%s (%s): %s", gnutlsfunc,
 			gnutls_strerror_name(r), gnutls_strerror(r));
 		f_close_with_alert(f, r);
+		return;
+	case GNUTLS_E_FATAL_ALERT_RECEIVED:
+	case GNUTLS_E_WARNING_ALERT_RECEIVED:
+		{
+			gnutls_alert_description_t alert_desc = gnutls_alert_get(f->session);
+			const char* alert_desc_name = gnutls_alert_get_name(alert_desc);
+			_INFO(f->srv, f->wrk, f->log_context, "%s (%s): %s %s (%u)", gnutlsfunc,
+				gnutls_strerror_name(r), gnutls_strerror(r),
+				(NULL != alert_desc_name) ? alert_desc_name : "unknown alert",
+				(unsigned int) alert_desc);
+		}
+		/* error not handled yet: break instead of return */
 		break;
 	default:
 		if (gnutls_error_is_fatal(r)) {
-			if (GNUTLS_E_FATAL_ALERT_RECEIVED == r || GNUTLS_E_WARNING_ALERT_RECEIVED == r) {
-				_ERROR(f->srv, f->wrk, f->log_context, "%s (%s): %s", gnutlsfunc,
-					gnutls_strerror_name(r),
-					gnutls_alert_get_name(gnutls_alert_get(f->session)));
-			} else {
-				_ERROR(f->srv, f->wrk, f->log_context, "%s (%s): %s", gnutlsfunc,
-					gnutls_strerror_name(r), gnutls_strerror(r));
-			}
-			if (f->initial_handshaked_finished) {
-				f_close_with_alert(f, r);
-			} else {
-				f_abort_gnutls(f);
-			}
+			_ERROR(f->srv, f->wrk, f->log_context, "%s (%s): %s", gnutlsfunc,
+				gnutls_strerror_name(r), gnutls_strerror(r));
 		} else {
-			_ERROR(f->srv, f->wrk, f->log_context, "%s non fatal (%s): %s", gnutlsfunc,
+			_WARNING(f->srv, f->wrk, f->log_context, "%s non fatal (%s): %s", gnutlsfunc,
 				gnutls_strerror_name(r), gnutls_strerror(r));
 		}
+		/* error not handled yet: break instead of return */
+		break;
+	}
+
+	/* generic error handling */
+	if (gnutls_error_is_fatal(r)) {
+		if (f->initial_handshaked_finished) {
+			f_close_with_alert(f, r);
+		} else {
+			f_abort_gnutls(f);
+		}
 	}
 }