From 90b79af74fad22c021fccbdf7134b1948f1d644c Mon Sep 17 00:00:00 2001
From: Phillip Whelan <phil@calyptia.com>
Date: Mon, 20 Dec 2021 19:43:06 -0300
Subject: [PATCH 1/3] openssl/tls: log handshake error.

Signed-off-by: Phillip Whelan <phil@calyptia.com>
---
 src/tls/openssl.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/tls/openssl.c b/src/tls/openssl.c
index f39a0ce8a34..f350d37855a 100644
--- a/src/tls/openssl.c
+++ b/src/tls/openssl.c
@@ -69,6 +69,8 @@ static int tls_init(void)
     OPENSSL_add_all_algorithms_noconf();
     SSL_load_error_strings();
     SSL_library_init();
+#else
+    SSL_load_error_strings();
 #endif
     return 0;
 }
@@ -347,6 +349,7 @@ static int tls_net_read(struct flb_upstream_conn *u_conn,
                         void *buf, size_t len)
 {
     int ret;
+    char errbuf[256];
     struct tls_session *session = (struct tls_session *) u_conn->tls_session;
     struct tls_context *ctx;
 
@@ -360,6 +363,8 @@ static int tls_net_read(struct flb_upstream_conn *u_conn,
             ret = FLB_TLS_WANT_READ;
         }
         else if (ret < 0) {
+            ERR_error_string(ret, errbuf);
+            flb_error("[tls] error: %s", errbuf);
             ret = -1;
         }
     }
@@ -372,6 +377,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
                          const void *data, size_t len)
 {
     int ret;
+    char errbuf[256];
     size_t total = 0;
     struct tls_session *session = (struct tls_session *) u_conn->tls_session;
     struct tls_context *ctx;
@@ -391,6 +397,8 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
             ret = FLB_TLS_WANT_READ;
         }
         else {
+            ERR_error_string(ret, errbuf);
+            flb_error("[tls] error: %s", errbuf);
             ret = -1;
         }
     }
@@ -404,6 +412,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
 static int tls_net_handshake(struct flb_tls *tls, void *ptr_session)
 {
     int ret = 0;
+    char errbuf[256];
     struct tls_session *session = ptr_session;
     struct tls_context *ctx;
 
@@ -420,6 +429,15 @@ static int tls_net_handshake(struct flb_tls *tls, void *ptr_session)
         if (ret != SSL_ERROR_WANT_READ &&
             ret != SSL_ERROR_WANT_WRITE) {
             ret = SSL_get_error(session->ssl, ret);
+            // The SSL_ERROR_SYSCALL with errno value of 0 
+            // indicates unexpected EOF from the peer.
+            // This is fixed in OpenSSL 3.0.
+            if (ret == 0) {
+            	flb_error("[tls] error: unexpected EOF");
+            } else {
+                ERR_error_string(ret, errbuf);
+                flb_error("[tls] error: %s", errbuf);
+            }
             pthread_mutex_unlock(&ctx->mutex);
             return -1;
         }

From be2803b20d8b460c4e4a1eb0bf5cc2fd8a7de8e0 Mon Sep 17 00:00:00 2001
From: Phillip Whelan <phil@calyptia.com>
Date: Tue, 25 Jan 2022 16:56:11 -0300
Subject: [PATCH 2/3] tls: use ERR_error_string_n over ERR_error_string.

Signed-off-by: Phillip Whelan <phil@calyptia.com>
---
 src/tls/openssl.c | 43 ++++++++++++++++++++-----------------------
 1 file changed, 20 insertions(+), 23 deletions(-)

diff --git a/src/tls/openssl.c b/src/tls/openssl.c
index f2f7fcdae0a..220c74f0542 100644
--- a/src/tls/openssl.c
+++ b/src/tls/openssl.c
@@ -168,6 +168,7 @@ static void *tls_context_create(int verify, int debug,
     int ret;
     SSL_CTX *ssl_ctx;
     struct tls_context *ctx;
+    char err_buf[256];
 
     /*
      * Init library ? based in the documentation on OpenSSL >= 1.1.0 is not longer
@@ -214,20 +215,18 @@ static void *tls_context_create(int verify, int debug,
     if (ca_path) {
         ret = SSL_CTX_load_verify_locations(ctx->ctx, NULL, ca_path);
         if (ret != 1) {
-            flb_error("[tls] ca_path'%s' %lu: %s",
-                      ca_path,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
+            flb_error("[tls] ca_path '%s' %lu: %s",
+                      ca_path, ERR_get_error(), err_buf);
             goto error;
         }
     }
     else if (ca_file) {
         ret = SSL_CTX_load_verify_locations(ctx->ctx, ca_file, NULL);
         if (ret != 1) {
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
             flb_error("[tls] ca_file '%s' %lu: %s",
-                      ca_file,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+                      ca_file, ERR_get_error(), err_buf);
             goto error;
         }
     }
@@ -238,11 +237,10 @@ static void *tls_context_create(int verify, int debug,
     /* crt_file */
     if (crt_file) {
         ret = SSL_CTX_use_certificate_chain_file(ssl_ctx, crt_file);
-		if (ret != 1) {
+        if (ret != 1) {
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
             flb_error("[tls] crt_file '%s' %lu: %s",
-                      crt_file,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+                      crt_file, ERR_get_error(), err_buf);
             goto error;
         }
     }
@@ -256,10 +254,9 @@ static void *tls_context_create(int verify, int debug,
         ret = SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file,
                                           SSL_FILETYPE_PEM);
         if (ret != 1) {
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
             flb_error("[tls] key_file '%s' %lu: %s",
-                      key_file,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+                      crt_file, ERR_get_error(), err_buf);
         }
 
         /* Make sure the key and certificate file match */
@@ -349,7 +346,7 @@ static int tls_net_read(struct flb_upstream_conn *u_conn,
                         void *buf, size_t len)
 {
     int ret;
-    char errbuf[256];
+    char err_buf[256];
     struct tls_session *session = (struct tls_session *) u_conn->tls_session;
     struct tls_context *ctx;
 
@@ -367,8 +364,8 @@ static int tls_net_read(struct flb_upstream_conn *u_conn,
             ret = FLB_TLS_WANT_WRITE;
         }
         else if (ret < 0) {
-            ERR_error_string(ret, errbuf);
-            flb_error("[tls] error: %s", errbuf);
+            ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
+            flb_error("[tls] error: %s", err_buf);
         }
         else {
             ret = -1;
@@ -383,7 +380,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
                          const void *data, size_t len)
 {
     int ret;
-    char errbuf[256];
+    char err_buf[256];
     size_t total = 0;
     struct tls_session *session = (struct tls_session *) u_conn->tls_session;
     struct tls_context *ctx;
@@ -404,8 +401,8 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
             ret = FLB_TLS_WANT_READ;
         }
         else {
-            ERR_error_string(ret, errbuf);
-            flb_error("[tls] error: %s", errbuf);
+            ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
+            flb_error("[tls] error: %s", err_buf);
             ret = -1;
         }
     }
@@ -419,7 +416,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
 static int tls_net_handshake(struct flb_tls *tls, void *ptr_session)
 {
     int ret = 0;
-    char errbuf[256];
+    char err_buf[256];
     struct tls_session *session = ptr_session;
     struct tls_context *ctx;
 
@@ -443,8 +440,8 @@ static int tls_net_handshake(struct flb_tls *tls, void *ptr_session)
             if (ret == 0) {
             	flb_error("[tls] error: unexpected EOF");
             } else {
-                ERR_error_string(ret, errbuf);
-                flb_error("[tls] error: %s", errbuf);
+                ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
+                flb_error("[tls] error: %s", err_buf);
             }
             pthread_mutex_unlock(&ctx->mutex);
             return -1;

From 6eb472c40db2042239891e65ffef864deedfba17 Mon Sep 17 00:00:00 2001
From: Phillip Whelan <phil@calyptia.com>
Date: Tue, 25 Jan 2022 16:56:33 -0300
Subject: [PATCH 3/3] tls: reformat multiline comment to align to 80 columns.

Signed-off-by: Phillip Whelan <phil@calyptia.com>
---
 src/tls/openssl.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/tls/openssl.c b/src/tls/openssl.c
index 220c74f0542..8b7c1fc5fc9 100644
--- a/src/tls/openssl.c
+++ b/src/tls/openssl.c
@@ -434,9 +434,8 @@ static int tls_net_handshake(struct flb_tls *tls, void *ptr_session)
         if (ret != SSL_ERROR_WANT_READ &&
             ret != SSL_ERROR_WANT_WRITE) {
             ret = SSL_get_error(session->ssl, ret);
-            // The SSL_ERROR_SYSCALL with errno value of 0 
-            // indicates unexpected EOF from the peer.
-            // This is fixed in OpenSSL 3.0.
+            // The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected
+            //  EOF from the peer. This is fixed in OpenSSL 3.0.
             if (ret == 0) {
             	flb_error("[tls] error: unexpected EOF");
             } else {