From 680fd3f8fb7157432398a3552ee9c98c72bd7397 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 29 Mar 2019 13:38:14 -0400 Subject: [PATCH] NSS: Log an error message when SSL_ExportKeyingMaterial() fails Diagnostic for 29241. --- changes/29241_diagnostic | 4 ++++ src/lib/tls/tortls_nss.c | 8 ++++++++ 2 files changed, 12 insertions(+) create mode 100644 changes/29241_diagnostic diff --git a/changes/29241_diagnostic b/changes/29241_diagnostic new file mode 100644 index 0000000000..1e38654957 --- /dev/null +++ b/changes/29241_diagnostic @@ -0,0 +1,4 @@ + o Minor features (NSS, diagnostic): + - Try to log an error from NSS (if there is any) and a more useful + description of our situation if we are using NSS and a call to + SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241. diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c index 00c4af0e97..4e107fae7b 100644 --- a/src/lib/tls/tortls_nss.c +++ b/src/lib/tls/tortls_nss.c @@ -726,10 +726,18 @@ tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out, tor_assert(context_len <= UINT_MAX); SECStatus s; + /* Make sure that the error code is set here, so that we can be sure that + * any error code set after a failure was in fact caused by + * SSL_ExportKeyingMaterial. */ + PR_SetError(PR_UNKNOWN_ERROR, 0); s = SSL_ExportKeyingMaterial(tls->ssl, label, (unsigned)strlen(label), PR_TRUE, context, (unsigned)context_len, secrets_out, DIGEST256_LEN); + if (s != SECSuccess) { + tls_log_errors(tls, LOG_WARN, LD_CRYPTO, + "exporting key material for a TLS handshake"); + } return (s == SECSuccess) ? 0 : -1; } -- 2.11.4.GIT