From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 6 Aug 2025 13:43:41 +0000 (+0200)
Subject: tls: fix server log messages to have client IP address
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=93a78c73ada369d2b35e3b1692c19c915938c8e8;p=thirdparty%2Fchrony.git

tls: fix server log messages to have client IP address

Add an additional parameter to TLS_CreateInstance() to save the label of
the connection (server name on the client side and client IP
address:port on the server side) instead of the server name (which is
NULL on the server side) to fix the log messages.

Fixes: 3e32e7e69412 ("tls: move gnutls code into tls_gnutls.c")
---

diff --git a/nts_ke_session.c b/nts_ke_session.c
index 7e09ac5f..02cab087 100644
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -613,7 +613,7 @@ NKSN_StartSession(NKSN_Instance inst, int sock_fd, const char *label,
   assert(inst->state == KE_STOPPED);
 
   inst->tls_session = TLS_CreateInstance(inst->server, sock_fd, inst->server_name,
-                                         NKE_ALPN_NAME, credentials,
+                                         label, NKE_ALPN_NAME, credentials,
                                          clock_updates < CNF_GetNoCertTimeCheck());
   if (!inst->tls_session)
     return 0;
diff --git a/tls.h b/tls.h
index 0a283821..8db419d7 100644
--- a/tls.h
+++ b/tls.h
@@ -64,8 +64,8 @@ extern void TLS_DestroyCredentials(TLS_Credentials credentials);
 
 /* Create new TLS session instance */
 extern TLS_Instance TLS_CreateInstance(int server_mode, int sock_fd, const char *server_name,
-                                       const char *alpn_name, TLS_Credentials credentials,
-                                       int disable_time_checks);
+                                       const char *label, const char *alpn_name,
+                                       TLS_Credentials credentials, int disable_time_checks);
 
 /* Destroy TLS instance */
 extern void TLS_DestroyInstance(TLS_Instance inst);
diff --git a/tls_gnutls.c b/tls_gnutls.c
index bb03cd68..21ec7a4c 100644
--- a/tls_gnutls.c
+++ b/tls_gnutls.c
@@ -42,7 +42,7 @@
 struct TLS_Instance_Record {
   gnutls_session_t session;
   int server;
-  char *server_name;
+  char *label;
   char *alpn_name;
 };
 
@@ -162,7 +162,7 @@ TLS_DestroyCredentials(TLS_Credentials credentials)
 /* ================================================== */
 
 TLS_Instance
-TLS_CreateInstance(int server_mode, int sock_fd, const char *server_name,
+TLS_CreateInstance(int server_mode, int sock_fd, const char *server_name, const char *label,
                    const char *alpn_name, TLS_Credentials credentials, int disable_time_checks)
 {
   gnutls_datum_t alpn;
@@ -173,7 +173,7 @@ TLS_CreateInstance(int server_mode, int sock_fd, const char *server_name,
 
   inst->session = NULL;
   inst->server = server_mode;
-  inst->server_name = server_name ? Strdup(server_name) : NULL;
+  inst->label = Strdup(label);
   inst->alpn_name = alpn_name ? Strdup(alpn_name) : NULL;
 
   r = gnutls_init(&inst->session, GNUTLS_NONBLOCK | GNUTLS_NO_TICKETS |
@@ -237,8 +237,7 @@ TLS_DestroyInstance(TLS_Instance inst)
   if (inst->session)
     gnutls_deinit(inst->session);
 
-  if (inst->server_name)
-    Free(inst->server_name);
+  Free(inst->label);
 
   if (inst->alpn_name)
     Free(inst->alpn_name);
@@ -280,7 +279,7 @@ TLS_DoHandshake(TLS_Instance inst)
         cert_error.data = NULL;
 
       LOG(inst->server ? LOGS_DEBUG : LOGS_ERR,
-          "TLS handshake with %s failed : %s%s%s", inst->server_name, gnutls_strerror(r),
+          "TLS handshake with %s failed : %s%s%s", inst->label, gnutls_strerror(r),
           cert_error.data ? " " : "", cert_error.data ? (const char *)cert_error.data : "");
 
       if (cert_error.data)
@@ -299,13 +298,12 @@ TLS_DoHandshake(TLS_Instance inst)
 
   if (DEBUG) {
     char *description = gnutls_session_get_desc(inst->session);
-    DEBUG_LOG("Handshake with %s completed %s", inst->server_name,
-              description ? description : "");
+    DEBUG_LOG("Handshake with %s completed %s", inst->label, description ? description : "");
     gnutls_free(description);
   }
 
   if (!check_alpn(inst)) {
-    LOG(inst->server ? LOGS_DEBUG : LOGS_ERR, "NTS-KE not supported by %s", inst->server_name);
+    LOG(inst->server ? LOGS_DEBUG : LOGS_ERR, "NTS-KE not supported by %s", inst->label);
     return TLS_FAILED;
   }
 
@@ -327,7 +325,7 @@ TLS_Send(TLS_Instance inst, const void *data, int length, int *sent)
   if (r < 0) {
     if (gnutls_error_is_fatal(r)) {
       LOG(inst->server ? LOGS_DEBUG : LOGS_ERR,
-          "Could not send NTS-KE message to %s : %s", inst->server_name, gnutls_strerror(r));
+          "Could not send NTS-KE message to %s : %s", inst->label, gnutls_strerror(r));
       return TLS_FAILED;
     }
 
@@ -356,8 +354,7 @@ TLS_Receive(TLS_Instance inst, void *data, int length, int *received)
        a protocol error */
     if (gnutls_error_is_fatal(r) || r == GNUTLS_E_REHANDSHAKE) {
       LOG(inst->server ? LOGS_DEBUG : LOGS_ERR,
-          "Could not receive NTS-KE message from %s : %s",
-          inst->server_name, gnutls_strerror(r));
+          "Could not receive NTS-KE message from %s : %s", inst->label, gnutls_strerror(r));
       return TLS_FAILED;
     }
 
@@ -386,7 +383,7 @@ TLS_Shutdown(TLS_Instance inst)
 
   if (r < 0) {
     if (gnutls_error_is_fatal(r)) {
-      DEBUG_LOG("Shutdown with %s failed : %s", inst->server_name, gnutls_strerror(r));
+      DEBUG_LOG("Shutdown with %s failed : %s", inst->label, gnutls_strerror(r));
       return TLS_FAILED;
     }