To convert library error codes to strings in a library agnostic way.
debugs(83, 2, "Error negotiating SSL connection on FD " << fd << ": Aborted by client: " << ssl_error);
} else {
debugs(83, (xerrno == ECONNRESET) ? 1 : 2, "Error negotiating SSL connection on FD " << fd << ": " <<
- (xerrno == 0 ? ERR_error_string(ssl_error, NULL) : xstrerr(xerrno)));
+ (xerrno == 0 ? Security::ErrorString(ssl_error) : xstrerr(xerrno)));
}
return -1;
default:
debugs(83, DBG_IMPORTANT, "Error negotiating SSL connection on FD " <<
- fd << ": " << ERR_error_string(ERR_get_error(), NULL) <<
+ fd << ": " << Security::ErrorString(ERR_get_error()) <<
" (" << ssl_error << "/" << ret << ")");
return -1;
}
assert(ctx);
if (!Ssl::CreateClient(ctx, serverConnection(), "server https start")) {
+ const auto xerrno = errno;
+ const auto ssl_error = ERR_get_error();
ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
- anErr->xerrno = errno;
- debugs(83, DBG_IMPORTANT, "Error allocating TLS handle: " << ERR_error_string(ERR_get_error(), NULL));
+ anErr->xerrno = xerrno;
+ debugs(83, DBG_IMPORTANT, "Error allocating TLS handle: " << Security::ErrorString(ssl_error));
noteNegotiationDone(anErr);
bail(anErr);
return false;
const int fd = serverConnection()->fd;
debugs(83, DBG_IMPORTANT, "Error negotiating SSL on FD " << fd <<
- ": " << ERR_error_string(ssl_lib_error, NULL) << " (" <<
+ ": " << Security::ErrorString(ssl_lib_error) << " (" <<
ssl_error << "/" << ret << "/" << errno << ")");
ErrorState *anErr = NULL;
SSL_CTX *t = SSL_CTX_new(SSLv23_client_method());
#endif
if (!t) {
- const auto x = ERR_error_string(ERR_get_error(), nullptr);
- fatalf("Failed to allocate TLS client context: %s\n", x);
+ const auto x = ERR_get_error();
+ fatalf("Failed to allocate TLS client context: %s\n", Security::ErrorString(x));
}
ctx.resetWithoutLocking(t);
// Initialize for X.509 certificate exchange
gnutls_certificate_credentials_t t;
if (const int x = gnutls_certificate_allocate_credentials(&t)) {
- fatalf("Failed to allocate TLS client context: error=%d\n", x);
+ fatalf("Failed to allocate TLS client context: %s\n", Security::ErrorString(x));
}
ctx.resetWithoutLocking(t);
{
#if USE_OPENSSL
if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0)
- return ERR_error_string(ERR_get_error(), nullptr);
+ return Security::ErrorString(ERR_get_error());
#elif USE_GNUTLS
auto x = gnutls_certificate_set_x509_system_trust(ctx.get());
if (x < 0)
- return gnutls_strerror(x);
+ return Security::ErrorString(x);
#endif
return nullptr;
for (auto i : caFiles) {
#if USE_OPENSSL
if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), path)) {
- const int ssl_error = ERR_get_error();
- debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL));
+ const auto x = ERR_get_error();
+ debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
+ i << ": " << Security::ErrorString(x));
}
#elif USE_GNUTLS
- if (gnutls_certificate_set_x509_trust_file(ctx.get(), i.c_str(), GNUTLS_X509_FMT_PEM) < 0) {
- debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location: " << i);
+ const auto x = gnutls_certificate_set_x509_trust_file(ctx.get(), i.c_str(), GNUTLS_X509_FMT_PEM);
+ if (x < 0) {
+ debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
+ i << ": " << Security::ErrorString(x));
}
#endif
}
SSL_CTX *t = SSL_CTX_new(SSLv23_server_method());
#endif
if (!t) {
- const auto x = ERR_error_string(ERR_get_error(), nullptr);
- debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << x);
+ const auto x = ERR_get_error();
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x));
}
ctx.resetWithoutLocking(t);
// Initialize for X.509 certificate exchange
gnutls_certificate_credentials_t t;
if (const int x = gnutls_certificate_allocate_credentials(&t)) {
- debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: error=" << x);
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x));
}
ctx.resetWithoutLocking(t);
auto ecdh = EC_KEY_new_by_curve_name(nid);
if (!ecdh) {
- auto ssl_error = ERR_get_error();
- debugs(83, DBG_CRITICAL, "ERROR: Unable to configure Ephemeral ECDH: " << ERR_error_string(ssl_error, NULL));
+ const auto x = ERR_get_error();
+ debugs(83, DBG_CRITICAL, "ERROR: Unable to configure Ephemeral ECDH: " << Security::ErrorString(x));
return;
}
if (!SSL_CTX_set_tmp_ecdh(ctx.get(), ecdh)) {
- auto ssl_error = ERR_get_error();
- debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << ERR_error_string(ssl_error, NULL));
+ const auto x = ERR_get_error();
+ debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(x));
}
EC_KEY_free(ecdh);
gnutls_datum_t *tmp = nullptr;
const auto x = gnutls_session_get_data2(s.get(), tmp);
if (x != GNUTLS_E_SUCCESS) {
- debugs(83, 3, "session=" << (void*)s.get() << " error: " << gnutls_strerror(x));
+ debugs(83, 3, "session=" << (void*)s.get() << " error: " << Security::ErrorString(x));
}
data.reset(tmp);
#endif
if (!SSL_set_session(s.get(), data.get())) {
const auto ssl_error = ERR_get_error();
debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<
- " resume error: " << ERR_error_string(ssl_error, nullptr));
+ " resume error: " << Security::ErrorString(ssl_error));
}
#elif USE_GNUTLS
const auto x = gnutls_session_set_data(s.get(), data->data, data->size);
if (x != GNUTLS_E_SUCCESS) {
debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<
- " resume error: " << gnutls_strerror(x));
+ " resume error: " << Security::ErrorString(x));
}
#else
// critical because, how did it get here?
#include "security/Context.h"
#include "security/Session.h"
-#if USE_GNUTLS
-#if HAVE_GNUTLS_X509_H
+#if USE_GNUTLS && HAVE_GNUTLS_X509_H
#include <gnutls/x509.h>
#endif
-#endif
#include <list>
+#if USE_OPENSSL && HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
#include <unordered_set>
#if USE_OPENSSL
/// Squid defined error code (<0), an error code returned by X.509 API, or SSL_ERROR_NONE
typedef int ErrorCode;
+inline const char *ErrorString(const ErrorCode code) {
+#if USE_OPENSSL
+ return ERR_error_string(code, nullptr);
+#elif USE_GNUTLS
+ return gnutls_strerror(code);
+#else
+ return "[no TLS library]";
+#endif
+}
+
/// set of Squid defined TLS error codes
/// \note using std::unordered_set ensures values are unique, with fast lookup
typedef std::unordered_set<Security::ErrorCode> Errors;
if (errReason.size() > 0)
return errReason.termedBuf();
else if (lib_error_no != SSL_ERROR_NONE)
- return ERR_error_string(lib_error_no, NULL);
+ return Security::ErrorString(lib_error_no);
else
return "[No Error]";
}
* Error meta information:
* %err_name: The name of a high-level SSL error (e.g., X509_V_ERR_*)
* %ssl_error_descr: A short description of the SSL error
- * %ssl_lib_error: human-readable low-level error string by ERR_error_string(3SSL)
+ * %ssl_lib_error: human-readable low-level error string by Security::ErrorString()
*
* Certificate information extracted from broken (not necessarily peer!) cert
* %ssl_cn: The comma-separated list of common and alternate names
(srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
Security::CertPointer serverCert(SSL_get_peer_certificate(session.get()));
if (serverCert) {
- debugs(81, 3, "Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd);
+ debugs(81, 3, "Error (" << Security::ErrorString(ssl_lib_error) << ") but, hold write on SSL connection on FD " << fd);
checkForPeekAndSplice();
return;
}
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
const int ssl_error = ERR_get_error();
- fatalf("Failed to initialise SSL engine: %s\n", ERR_error_string(ssl_error, NULL));
+ fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error));
}
}
#else
if (!SSL_CTX_set_cipher_list(ctx.get(), port.secure.sslCipher.c_str())) {
ssl_error = ERR_get_error();
- debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << port.secure.sslCipher << "': " << ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << port.secure.sslCipher << "': " << Security::ErrorString(ssl_error));
return false;
}
}
SSL_CTX_set_client_CA_list(ctx.get(), clientca);
} else {
ssl_error = ERR_get_error();
- debugs(83, DBG_CRITICAL, "ERROR: Failed to dupe the client CA list: " << ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to dupe the client CA list: " << Security::ErrorString(ssl_error));
return false;
}
if (!SSL_CTX_use_certificate(ctx.get(), port.signingCert.get())) {
const int ssl_error = ERR_get_error();
const auto &keys = port.secure.certs.front();
- debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS certificate '" << keys.certFile << "': " << ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS certificate '" << keys.certFile << "': " << Security::ErrorString(ssl_error));
return false;
}
if (!SSL_CTX_use_PrivateKey(ctx.get(), port.signPkey.get())) {
const int ssl_error = ERR_get_error();
const auto &keys = port.secure.certs.front();
- debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS private key '" << keys.privateKeyFile << "': " << ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS private key '" << keys.privateKeyFile << "': " << Security::ErrorString(ssl_error));
return false;
}
if (!SSL_CTX_use_certificate_chain_file(ctx.get(), certfile)) {
ssl_error = ERR_get_error();
- debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << Security::ErrorString(ssl_error));
return false;
}
if (!SSL_CTX_use_PrivateKey_file(ctx.get(), keyfile, SSL_FILETYPE_PEM)) {
ssl_error = ERR_get_error();
- debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << Security::ErrorString(ssl_error));
return false;
}
if (!SSL_CTX_check_private_key(ctx.get())) {
ssl_error = ERR_get_error();
debugs(83, DBG_CRITICAL, "ERROR: SSL private key '" << certfile << "' does not match public key '" <<
- keyfile << "': " << ERR_error_string(ssl_error, NULL));
+ keyfile << "': " << Security::ErrorString(ssl_error));
return false;
}
*/
if (!SSL_CTX_set_cipher_list(ctx.get(), cipher)) {
const int ssl_error = ERR_get_error();
fatalf("Failed to set SSL cipher suite '%s': %s\n",
- cipher, ERR_error_string(ssl_error, NULL));
+ cipher, Security::ErrorString(ssl_error));
}
}
if (!SSL_CTX_use_certificate_chain_file(ctx.get(), certfile)) {
const int ssl_error = ERR_get_error();
fatalf("Failed to acquire SSL certificate '%s': %s\n",
- certfile, ERR_error_string(ssl_error, NULL));
+ certfile, Security::ErrorString(ssl_error));
}
debugs(83, DBG_IMPORTANT, "Using private key in " << keys.privateKeyFile);
if (!SSL_CTX_use_PrivateKey_file(ctx.get(), keyfile, SSL_FILETYPE_PEM)) {
const int ssl_error = ERR_get_error();
fatalf("Failed to acquire SSL private key '%s': %s\n",
- keyfile, ERR_error_string(ssl_error, NULL));
+ keyfile, Security::ErrorString(ssl_error));
}
debugs(83, 5, "Comparing private and public SSL keys.");
if (!SSL_CTX_check_private_key(ctx.get())) {
const int ssl_error = ERR_get_error();
fatalf("SSL private key '%s' does not match public key '%s': %s\n",
- certfile, keyfile, ERR_error_string(ssl_error, NULL));
+ certfile, keyfile, Security::ErrorString(ssl_error));
}
}
}
X509_up_ref(signingCert);
} else {
const int ssl_error = ERR_get_error();
- debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
+ debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << Security::ErrorString(ssl_error));
}
Ssl::addChainToSslContext(ctx, port.certsToChain.get());
}
if (!SSL_set_tlsext_host_name(ssl, fqdn)) {
const int ssl_error = ERR_get_error();
debugs(83, 3, "WARNING: unable to set TLS servername extension (SNI): " <<
- ERR_error_string(ssl_error, NULL) << "\n");
+ Security::ErrorString(ssl_error) << "\n");
return false;
}
return true;
X509_up_ref(cert);
} else {
const int ssl_error = ERR_get_error();
- debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
+ debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << Security::ErrorString(ssl_error));
}
}
}
}
debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction <<
- ": " << ERR_error_string(errCode, NULL));
+ ": " << Security::ErrorString(errCode));
return false;
}