r11277@catbus: nickm | 2007-01-23 14:08:08 -0500

 When logging TLS certificate and identity-related errors, scrub IP addresses for incoming connections, and distinguish between incoming and outgoing connections in log messages.  Backport candidate.


svn:r9391

ChangeLog

@@ -43,6 +43,8 @@ Changes in version 0.1.2.7-alpha - 2007-??-??
       from at least half of the authorities.  This delays the first download
       slightly under pathological circumstances, but can prevent us from
       downloading a bunch of descriptors we don't need.
+    - Do not log IPs with TLS failures for incoming TLS connections.  (Fixes
+      bug 382.)
 
   o Minor features:
     - Check for addresses with invalid characters at the exit as well as at

src/or/connection_or.c

@@ -569,29 +569,33 @@ connection_or_check_valid_handshake(or_connection_t *conn, char *digest_rcvd)
   char nickname[MAX_NICKNAME_LEN+1];
   or_options_t *options = get_options();
   int severity = server_mode(options) ? LOG_PROTOCOL_WARN : LOG_WARN;
+  int started_here = connection_or_nonopen_was_started_here(conn);
+  const char *safe_address =
+    started_here ? conn->_base.address : safe_str(conn->_base.address);
+  const char *peer_type = started_here ? "Router" : "Client or router";
 
   check_no_tls_errors();
   if (! tor_tls_peer_has_cert(conn->tls)) {
-    log_info(LD_PROTOCOL,"Peer (%s:%d) didn't send a cert! Closing.",
-             conn->_base.address, conn->_base.port);
+    log_info(LD_PROTOCOL,"%s (%s:%d) didn't send a cert! Closing.",
+             peer_type, safe_address, conn->_base.port);
     return -1;
   }
   check_no_tls_errors();
   if (tor_tls_get_peer_cert_nickname(severity, conn->tls, nickname,
                                      sizeof(nickname))) {
-    log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a "
+    log_fn(severity,LD_PROTOCOL,"%s (%s:%d) has a cert without a "
            "valid nickname. Closing.",
-           conn->_base.address, conn->_base.port);
+           peer_type, safe_address, conn->_base.port);
     return -1;
   }
   check_no_tls_errors();
-  log_debug(LD_OR, "Other side (%s:%d) claims to be router '%s'",
-            conn->_base.address, conn->_base.port, nickname);
+  log_debug(LD_OR, "%s (%s:%d) claims to be router '%s'",
+            peer_type, safe_address, conn->_base.port, nickname);
 
   if (tor_tls_verify(severity, conn->tls, &identity_rcvd) < 0) {
-    log_fn(severity,LD_OR,"Other side, which claims to be router '%s' (%s:%d),"
+    log_fn(severity,LD_OR,"%s which claims to be router '%s' (%s:%d),"
            " has a cert but it's invalid. Closing.",
-           nickname, conn->_base.address, conn->_base.port);
+           peer_type, nickname, safe_address, conn->_base.port);
     return -1;
   }
   check_no_tls_errors();
@@ -610,13 +614,13 @@ connection_or_check_valid_handshake(or_connection_t *conn, char *digest_rcvd)
       router->is_named && /* make sure it's the right guy */
       memcmp(digest_rcvd, router->cache_info.identity_digest,DIGEST_LEN) !=0) {
     log_fn(severity, LD_OR,
-           "Identity key not as expected for router claiming to be "
+           "Identity key not as expected for peer claiming to be "
            "'%s' (%s:%d)",
-           nickname, conn->_base.address, conn->_base.port);
+           nickname, safe_address, conn->_base.port);
     return -1;
   }
 
-  if (connection_or_nonopen_was_started_here(conn)) {
+  if (started_here) {
     int as_advertised = 1;
     if (memcmp(digest_rcvd, conn->identity_digest, DIGEST_LEN)) {
       /* I was aiming for a particular digest. I didn't get it! */
@@ -656,7 +660,7 @@ connection_or_check_valid_handshake(or_connection_t *conn, char *digest_rcvd)
  * then initialize conn from the information in router.
  *
  * If all is successful, call circuit_n_conn_done() to handle events
- * that have been pending on the tls handshake completion. Also set the
+ * that have been pending on the <tls handshake completion. Also set the
  * directory to be dirty (only matters if I'm an authdirserver).
  */
 static int