diff options
| author | Nick Mathewson <nickm@torproject.org> | 2007-01-23 19:22:49 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2007-01-23 19:22:49 +0000 |
| commit | ba53e0029fef1d97e2e0019738a8567d8984f869 (patch) | |
| tree | 8577fe602fb06570643a1c8905dcef22710bfe36 /src | |
| parent | c0c67d28f507e8403776afc14c5307b016b792a0 (diff) | |
| download | tor-ba53e0029fef1d97e2e0019738a8567d8984f869.tar.gz tor-ba53e0029fef1d97e2e0019738a8567d8984f869.zip | |
r11277@catbus: nickm | 2007-01-23 14:08:08 -0500
When logging TLS certificate and identity-related errors, scrub IP addresses for incoming connections, and distinguish between incoming and outgoing connections in log messages. Backport candidate.
svn:r9391
Diffstat (limited to 'src')
| -rw-r--r-- | src/or/connection_or.c | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 8e5652f52a..295a060fed 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -569,29 +569,33 @@ connection_or_check_valid_handshake(or_connection_t *conn, char *digest_rcvd) char nickname[MAX_NICKNAME_LEN+1]; or_options_t *options = get_options(); int severity = server_mode(options) ? LOG_PROTOCOL_WARN : LOG_WARN; + int started_here = connection_or_nonopen_was_started_here(conn); + const char *safe_address = + started_here ? conn->_base.address : safe_str(conn->_base.address); + const char *peer_type = started_here ? "Router" : "Client or router"; check_no_tls_errors(); if (! tor_tls_peer_has_cert(conn->tls)) { - log_info(LD_PROTOCOL,"Peer (%s:%d) didn't send a cert! Closing.", - conn->_base.address, conn->_base.port); + log_info(LD_PROTOCOL,"%s (%s:%d) didn't send a cert! Closing.", + peer_type, safe_address, conn->_base.port); return -1; } check_no_tls_errors(); if (tor_tls_get_peer_cert_nickname(severity, conn->tls, nickname, sizeof(nickname))) { - log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a " + log_fn(severity,LD_PROTOCOL,"%s (%s:%d) has a cert without a " "valid nickname. Closing.", - conn->_base.address, conn->_base.port); + peer_type, safe_address, conn->_base.port); return -1; } check_no_tls_errors(); - log_debug(LD_OR, "Other side (%s:%d) claims to be router '%s'", - conn->_base.address, conn->_base.port, nickname); + log_debug(LD_OR, "%s (%s:%d) claims to be router '%s'", + peer_type, safe_address, conn->_base.port, nickname); if (tor_tls_verify(severity, conn->tls, &identity_rcvd) < 0) { - log_fn(severity,LD_OR,"Other side, which claims to be router '%s' (%s:%d)," + log_fn(severity,LD_OR,"%s which claims to be router '%s' (%s:%d)," " has a cert but it's invalid. Closing.", - nickname, conn->_base.address, conn->_base.port); + peer_type, nickname, safe_address, conn->_base.port); return -1; } check_no_tls_errors(); @@ -610,13 +614,13 @@ connection_or_check_valid_handshake(or_connection_t *conn, char *digest_rcvd) router->is_named && /* make sure it's the right guy */ memcmp(digest_rcvd, router->cache_info.identity_digest,DIGEST_LEN) !=0) { log_fn(severity, LD_OR, - "Identity key not as expected for router claiming to be " + "Identity key not as expected for peer claiming to be " "'%s' (%s:%d)", - nickname, conn->_base.address, conn->_base.port); + nickname, safe_address, conn->_base.port); return -1; } - if (connection_or_nonopen_was_started_here(conn)) { + if (started_here) { int as_advertised = 1; if (memcmp(digest_rcvd, conn->identity_digest, DIGEST_LEN)) { /* I was aiming for a particular digest. I didn't get it! */ @@ -656,7 +660,7 @@ connection_or_check_valid_handshake(or_connection_t *conn, char *digest_rcvd) * then initialize conn from the information in router. * * If all is successful, call circuit_n_conn_done() to handle events - * that have been pending on the tls handshake completion. Also set the + * that have been pending on the <tls handshake completion. Also set the * directory to be dirty (only matters if I'm an authdirserver). */ static int |