mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-12-03 00:53:32 +01:00
start the process of reducing clutter in server logs
svn:r5253
This commit is contained in:
parent
aca6fb5f5f
commit
03dcef4c78
@ -724,10 +724,10 @@ log_cert_lifetime(X509 *cert, const char *problem)
|
|||||||
/** If the provided tls connection is authenticated and has a
|
/** If the provided tls connection is authenticated and has a
|
||||||
* certificate that is currently valid and signed, then set
|
* certificate that is currently valid and signed, then set
|
||||||
* *<b>identity_key</b> to the identity certificate's key and return
|
* *<b>identity_key</b> to the identity certificate's key and return
|
||||||
* 0. Else, return -1.
|
* 0. Else, return -1 and log complaints with log-level <b>severity</b>.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity_key)
|
tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key)
|
||||||
{
|
{
|
||||||
X509 *cert = NULL, *id_cert = NULL;
|
X509 *cert = NULL, *id_cert = NULL;
|
||||||
STACK_OF(X509) *chain = NULL;
|
STACK_OF(X509) *chain = NULL;
|
||||||
@ -748,7 +748,7 @@ tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity_key)
|
|||||||
* cert and the id_cert.
|
* cert and the id_cert.
|
||||||
*/
|
*/
|
||||||
if (num_in_chain < 1) {
|
if (num_in_chain < 1) {
|
||||||
log_fn(LOG_WARN,"Unexpected number of certificates in chain (%d)",
|
log_fn(severity,"Unexpected number of certificates in chain (%d)",
|
||||||
num_in_chain);
|
num_in_chain);
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@ -758,14 +758,14 @@ tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity_key)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (!id_cert) {
|
if (!id_cert) {
|
||||||
log_fn(LOG_WARN,"No distinct identity certificate found");
|
log_fn(severity,"No distinct identity certificate found");
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!(id_pkey = X509_get_pubkey(id_cert)) ||
|
if (!(id_pkey = X509_get_pubkey(id_cert)) ||
|
||||||
X509_verify(cert, id_pkey) <= 0) {
|
X509_verify(cert, id_pkey) <= 0) {
|
||||||
log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0");
|
log_fn(severity,"X509_verify on cert and pkey returned <= 0");
|
||||||
tls_log_errors(LOG_WARN,"verifying certificate");
|
tls_log_errors(severity,"verifying certificate");
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ int tor_tls_is_server(tor_tls_t *tls);
|
|||||||
void tor_tls_free(tor_tls_t *tls);
|
void tor_tls_free(tor_tls_t *tls);
|
||||||
int tor_tls_peer_has_cert(tor_tls_t *tls);
|
int tor_tls_peer_has_cert(tor_tls_t *tls);
|
||||||
int tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen);
|
int tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen);
|
||||||
int tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity);
|
int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
|
||||||
int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance);
|
int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance);
|
||||||
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
|
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
|
||||||
int tor_tls_write(tor_tls_t *tls, char *cp, size_t n);
|
int tor_tls_write(tor_tls_t *tls, char *cp, size_t n);
|
||||||
|
@ -144,7 +144,8 @@ command_process_cell(cell_t *cell, connection_t *conn)
|
|||||||
#endif
|
#endif
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
log_fn(LOG_WARN,"Cell of unknown type (%d) received. Dropping.", cell->command);
|
log_fn(LOG_PROTOCOL_WARN,
|
||||||
|
"Cell of unknown type (%d) received. Dropping.", cell->command);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -184,7 +185,9 @@ command_process_create_cell(cell_t *cell, connection_t *conn)
|
|||||||
circ = circuit_get_by_circid_orconn(cell->circ_id, conn);
|
circ = circuit_get_by_circid_orconn(cell->circ_id, conn);
|
||||||
|
|
||||||
if (circ) {
|
if (circ) {
|
||||||
log_fn(LOG_WARN,"received CREATE cell (circID %d) for known circ. Dropping.", cell->circ_id);
|
log_fn(LOG_PROTOCOL_WARN,
|
||||||
|
"received CREATE cell (circID %d) for known circ. Dropping.",
|
||||||
|
cell->circ_id);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -238,7 +241,7 @@ command_process_created_cell(cell_t *cell, connection_t *conn)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (circ->n_circ_id != cell->circ_id) {
|
if (circ->n_circ_id != cell->circ_id) {
|
||||||
log_fn(LOG_WARN,"got created cell from OPward? Closing.");
|
log_fn(LOG_PROTOCOL_WARN,"got created cell from OPward? Closing.");
|
||||||
circuit_mark_for_close(circ);
|
circuit_mark_for_close(circ);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -281,20 +284,20 @@ command_process_relay_cell(cell_t *cell, connection_t *conn)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (circ->state == CIRCUIT_STATE_ONIONSKIN_PENDING) {
|
if (circ->state == CIRCUIT_STATE_ONIONSKIN_PENDING) {
|
||||||
log_fn(LOG_WARN,"circuit in create_wait. Closing.");
|
log_fn(LOG_PROTOCOL_WARN,"circuit in create_wait. Closing.");
|
||||||
circuit_mark_for_close(circ);
|
circuit_mark_for_close(circ);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cell->circ_id == circ->p_circ_id) { /* it's an outgoing cell */
|
if (cell->circ_id == circ->p_circ_id) { /* it's an outgoing cell */
|
||||||
if (circuit_receive_relay_cell(cell, circ, CELL_DIRECTION_OUT) < 0) {
|
if (circuit_receive_relay_cell(cell, circ, CELL_DIRECTION_OUT) < 0) {
|
||||||
log_fn(LOG_WARN,"circuit_receive_relay_cell (forward) failed. Closing.");
|
log_fn(LOG_PROTOCOL_WARN,"circuit_receive_relay_cell (forward) failed. Closing.");
|
||||||
circuit_mark_for_close(circ);
|
circuit_mark_for_close(circ);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
} else { /* it's an ingoing cell */
|
} else { /* it's an ingoing cell */
|
||||||
if (circuit_receive_relay_cell(cell, circ, CELL_DIRECTION_IN) < 0) {
|
if (circuit_receive_relay_cell(cell, circ, CELL_DIRECTION_IN) < 0) {
|
||||||
log_fn(LOG_WARN,"circuit_receive_relay_cell (backward) failed. Closing.");
|
log_fn(LOG_PROTOCOL_WARN,"circuit_receive_relay_cell (backward) failed. Closing.");
|
||||||
circuit_mark_for_close(circ);
|
circuit_mark_for_close(circ);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -163,6 +163,7 @@ static config_var_t _option_vars[] = {
|
|||||||
VAR("OutboundBindAddress", STRING, OutboundBindAddress, NULL),
|
VAR("OutboundBindAddress", STRING, OutboundBindAddress, NULL),
|
||||||
VAR("PathlenCoinWeight", DOUBLE, PathlenCoinWeight, "0.3"),
|
VAR("PathlenCoinWeight", DOUBLE, PathlenCoinWeight, "0.3"),
|
||||||
VAR("PidFile", STRING, PidFile, NULL),
|
VAR("PidFile", STRING, PidFile, NULL),
|
||||||
|
VAR("ProtocolWarnings", BOOL, ProtocolWarnings, "0"),
|
||||||
VAR("ReachableAddresses", LINELIST, ReachableAddresses, NULL),
|
VAR("ReachableAddresses", LINELIST, ReachableAddresses, NULL),
|
||||||
VAR("RecommendedVersions", LINELIST, RecommendedVersions, NULL),
|
VAR("RecommendedVersions", LINELIST, RecommendedVersions, NULL),
|
||||||
VAR("RecommendedClientVersions", LINELIST, RecommendedClientVersions, NULL),
|
VAR("RecommendedClientVersions", LINELIST, RecommendedClientVersions, NULL),
|
||||||
|
@ -481,7 +481,7 @@ connection_or_check_valid_handshake(connection_t *conn, char *digest_rcvd)
|
|||||||
log_fn(LOG_DEBUG, "Other side (%s:%d) claims to be router '%s'",
|
log_fn(LOG_DEBUG, "Other side (%s:%d) claims to be router '%s'",
|
||||||
conn->address, conn->port, nickname);
|
conn->address, conn->port, nickname);
|
||||||
|
|
||||||
if (tor_tls_verify(conn->tls, &identity_rcvd) < 0) {
|
if (tor_tls_verify(severity, conn->tls, &identity_rcvd) < 0) {
|
||||||
log_fn(LOG_WARN,"Other side, which claims to be router '%s' (%s:%d), has a cert but it's invalid. Closing.",
|
log_fn(LOG_WARN,"Other side, which claims to be router '%s' (%s:%d), has a cert but it's invalid. Closing.",
|
||||||
nickname, conn->address, conn->port);
|
nickname, conn->address, conn->port);
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -463,7 +463,13 @@ conn_close_if_marked(int i)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (connection_wants_to_flush(conn)) {
|
if (connection_wants_to_flush(conn)) {
|
||||||
log_fn(LOG_NOTICE,"Something wrong with your network connection? Conn (addr %s, fd %d, type %s, state %d) tried to write %d bytes but timed out. (Marked at %s:%d)",
|
int severity;
|
||||||
|
if (conn->type == CONN_TYPE_EXIT ||
|
||||||
|
(conn->type == CONN_TYPE_DIR && conn->purpose == DIR_PURPOSE_SERVER))
|
||||||
|
severity = LOG_INFO;
|
||||||
|
else
|
||||||
|
severity = LOG_NOTICE;
|
||||||
|
log_fn(severity, "Something wrong with your network connection? Conn (addr %s, fd %d, type %s, state %d) tried to write %d bytes but timed out. (Marked at %s:%d)",
|
||||||
safe_str(conn->address), conn->s, conn_type_to_string(conn->type),
|
safe_str(conn->address), conn->s, conn_type_to_string(conn->type),
|
||||||
conn->state,
|
conn->state,
|
||||||
(int)buf_datalen(conn->outbuf), conn->marked_for_close_file,
|
(int)buf_datalen(conn->outbuf), conn->marked_for_close_file,
|
||||||
|
@ -1290,6 +1290,9 @@ typedef struct {
|
|||||||
* long do we wait before exiting? */
|
* long do we wait before exiting? */
|
||||||
int SafeLogging; /**< Boolean: are we allowed to log sensitive strings
|
int SafeLogging; /**< Boolean: are we allowed to log sensitive strings
|
||||||
* such as addresses (0), or do we scrub them first (1)? */
|
* such as addresses (0), or do we scrub them first (1)? */
|
||||||
|
#define LOG_PROTOCOL_WARN (get_options()->ProtocolWarnings ? LOG_WARN : LOG_INFO)
|
||||||
|
int ProtocolWarnings; /**< Boolean: when other parties screw up the Tor
|
||||||
|
* protocol, is it a warn or an info in our logs? */
|
||||||
int HardwareAccel; /**< Boolean: Should we enable OpenSSL hardware
|
int HardwareAccel; /**< Boolean: Should we enable OpenSSL hardware
|
||||||
* acceleration where available? */
|
* acceleration where available? */
|
||||||
int UseHelperNodes; /**< Boolean: Do we try to enter from a smallish number
|
int UseHelperNodes; /**< Boolean: Do we try to enter from a smallish number
|
||||||
|
@ -193,7 +193,7 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, int cell_direction)
|
|||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
log_fn(LOG_WARN,"Didn't recognize cell, but circ stops here! Closing circ.");
|
log_fn(LOG_PROTOCOL_WARN,"Didn't recognize cell, but circ stops here! Closing circ.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -429,7 +429,7 @@ connection_edge_send_command(connection_t *fromconn, circuit_t *circ,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!circ) {
|
if (!circ) {
|
||||||
log_fn(LOG_WARN,"no circ. Closing conn.");
|
log_fn(LOG_INFO,"no circ. Closing conn.");
|
||||||
tor_assert(fromconn);
|
tor_assert(fromconn);
|
||||||
if (fromconn->type == CONN_TYPE_AP) {
|
if (fromconn->type == CONN_TYPE_AP) {
|
||||||
connection_mark_unattached_ap(fromconn, END_STREAM_REASON_INTERNAL);
|
connection_mark_unattached_ap(fromconn, END_STREAM_REASON_INTERNAL);
|
||||||
|
Loading…
Reference in New Issue
Block a user