This means the TLS library functions can integrate better with the different logging facilities, allowing us to print chain errors in the context of a conf item (for example)
prf_label->context,
prf_label->context_len,
prf_label->use_context) != 1) {
- fr_tls_log_error(request, "Failed generating MPPE keys");
+ fr_tls_log(request, "Failed generating MPPE keys");
return -1;
}
prf_label->context,
prf_label->context_len,
prf_label->use_context) != 1) {
- fr_tls_log_error(request, "Failed generating TLS session ID");
+ fr_tls_log(request, "Failed generating TLS session ID");
return -1;
}
}
(*checkcode)->md_ctx = EVP_MD_CTX_create();
if (!(*checkcode)->md_ctx) {
- fr_tls_log_strerror_printf("Failed creating MD ctx");
+ fr_tls_strerror_printf("Failed creating MD ctx");
error:
TALLOC_FREE(*checkcode);
return -1;
}
if (EVP_DigestInit_ex((*checkcode)->md_ctx, md, NULL) != 1) {
- fr_tls_log_strerror_printf("Failed intialising MD ctx");
+ fr_tls_strerror_printf("Failed intialising MD ctx");
goto error;
}
* Digest the header
*/
if (EVP_DigestUpdate(checkcode->md_ctx, &eap_hdr, sizeof(eap_hdr)) != 1) {
- fr_tls_log_strerror_printf("Failed digesting EAP header");
+ fr_tls_strerror_printf("Failed digesting EAP header");
return -1;
}
* Digest the packet
*/
if (EVP_DigestUpdate(checkcode->md_ctx, eap_packet->type.data, eap_packet->type.length) != 1) {
- fr_tls_log_strerror_printf("Failed digesting packet data");
+ fr_tls_strerror_printf("Failed digesting packet data");
return -1;
}
len = (size_t)EVP_MD_CTX_size((*checkcode).md_ctx);
MEM(buff = talloc_array(ctx, uint8_t, len));
if (EVP_DigestFinal_ex((*checkcode).md_ctx, buff, NULL) != 1) {
- fr_tls_log_strerror_printf("Failed finalising checkcode digest");
+ fr_tls_strerror_printf("Failed finalising checkcode digest");
return -1;
}
*out = buff;
FR_PROTO_HEX_DUMP(key, key_len, "MAC key");
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len);
if (!pkey) {
- fr_tls_log_strerror_printf("Failed creating HMAC signing key");
+ fr_tls_strerror_printf("Failed creating HMAC signing key");
error:
if (pkey) EVP_PKEY_free(pkey);
if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
md_ctx = EVP_MD_CTX_create();
if (!md_ctx) {
- fr_tls_log_strerror_printf("Failed creating HMAC ctx");
+ fr_tls_strerror_printf("Failed creating HMAC ctx");
goto error;
}
if (EVP_DigestSignInit(md_ctx, NULL, md, NULL, pkey) != 1) {
- fr_tls_log_strerror_printf("Failed initialising digest");
+ fr_tls_strerror_printf("Failed initialising digest");
goto error;
}
FR_PROTO_HEX_DUMP((uint8_t *)&eap_hdr, sizeof(eap_hdr), "MAC digest input (eap header)");
if (EVP_DigestSignUpdate(md_ctx, &eap_hdr, sizeof(eap_hdr)) != 1) {
- fr_tls_log_strerror_printf("Failed digesting EAP data");
+ fr_tls_strerror_printf("Failed digesting EAP data");
goto error;
}
* AT_MAC header and reserved bytes.
*/
if (EVP_DigestSignUpdate(md_ctx, p, mac - p) != 1) {
- fr_tls_log_strerror_printf("Failed digesting packet data (before MAC)");
+ fr_tls_strerror_printf("Failed digesting packet data (before MAC)");
goto error;
}
p += mac - p;
* simulated the zeroed out Mac.
*/
if (EVP_DigestSignUpdate(md_ctx, zero, sizeof(zero)) != 1) {
- fr_tls_log_strerror_printf("Failed digesting zeroed MAC");
+ fr_tls_strerror_printf("Failed digesting zeroed MAC");
goto error;
}
p += sizeof(zero);
* Digest the rest of the packet.
*/
if (EVP_DigestSignUpdate(md_ctx, p, end - p) != 1) {
- fr_tls_log_strerror_printf("Failed digesting packet data");
+ fr_tls_strerror_printf("Failed digesting packet data");
goto error;
}
}
if (hmac_extra) {
FR_PROTO_HEX_DUMP(hmac_extra, hmac_extra_len, "MAC digest input (extra)");
if (EVP_DigestSignUpdate(md_ctx, hmac_extra, hmac_extra_len) != 1) {
- fr_tls_log_strerror_printf("Failed digesting HMAC extra data");
+ fr_tls_strerror_printf("Failed digesting HMAC extra data");
goto error;
}
}
if (EVP_DigestSignFinal(md_ctx, digest, &digest_len) != 1) {
- fr_tls_log_strerror_printf("Failed finalising digest");
+ fr_tls_strerror_printf("Failed finalising digest");
goto error;
}
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, k, sizeof(k));
if (!pkey) {
- fr_tls_log_strerror_printf("Failed creating HMAC signing key");
+ fr_tls_strerror_printf("Failed creating HMAC signing key");
error:
if (pkey) EVP_PKEY_free(pkey);
if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
md_ctx = EVP_MD_CTX_create();
if (!md_ctx) {
- fr_tls_log_strerror_printf("Failed creating HMAC ctx");
+ fr_tls_strerror_printf("Failed creating HMAC ctx");
goto error;
}
if (EVP_DigestSignInit(md_ctx, NULL, EVP_sha256(), NULL, pkey) != 1) {
- fr_tls_log_strerror_printf("Failed initialising digest");
+ fr_tls_strerror_printf("Failed initialising digest");
goto error;
}
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len);
if (!pkey) {
- fr_tls_log_strerror_printf("Failed creating HMAC signing key");
+ fr_tls_strerror_printf("Failed creating HMAC signing key");
error:
if (pkey) EVP_PKEY_free(pkey);
if (md_ctx) EVP_MD_CTX_destroy(md_ctx);
md_ctx = EVP_MD_CTX_create();
if (!md_ctx) {
- fr_tls_log_strerror_printf("Failed creating HMAC ctx");
+ fr_tls_strerror_printf("Failed creating HMAC ctx");
goto error;
}
if (EVP_DigestSignInit(md_ctx, NULL, EVP_sha256(), NULL, pkey) != 1) {
- fr_tls_log_strerror_printf("Failed initialising digest");
+ fr_tls_strerror_printf("Failed initialising digest");
goto error;
}
*/
md_ctx = EVP_MD_CTX_create();
if (!md_ctx) {
- fr_tls_log_strerror_printf("Failed creating MD ctx");
+ fr_tls_strerror_printf("Failed creating MD ctx");
error:
EVP_MD_CTX_destroy(md_ctx);
return -1;
}
if (EVP_DigestInit_ex(md_ctx, EVP_sha1(), NULL) != 1) {
- fr_tls_log_strerror_printf("Failed initialising digest");
+ fr_tls_strerror_printf("Failed initialising digest");
goto error;
}
if (EVP_DigestUpdate(md_ctx, buf, p - buf) != 1) {
- fr_tls_log_strerror_printf("Failed digesting crypto data");
+ fr_tls_strerror_printf("Failed digesting crypto data");
goto error;
}
if (EVP_DigestFinal_ex(md_ctx, keys->reauth.xkey_prime, &len) != 1) {
- fr_tls_log_strerror_printf("Failed finalising digest");
+ fr_tls_strerror_printf("Failed finalising digest");
goto error;
}
evp_ctx = aka_sim_crypto_cipher_ctx();
if (!EVP_DecryptInit_ex(evp_ctx, evp_cipher, NULL, packet_ctx->k_encr, packet_ctx->iv)) {
- fr_tls_log_strerror_printf("%s: Failed setting decryption parameters", __FUNCTION__);
+ fr_tls_strerror_printf("%s: Failed setting decryption parameters", __FUNCTION__);
error:
talloc_free(decr);
return -1;
*/
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (!EVP_DecryptUpdate(evp_ctx, decr, (int *)&len, data, attr_len)) {
- fr_tls_log_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__);
+ fr_tls_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__);
goto error;
}
decr_len = len;
if (!EVP_DecryptFinal_ex(evp_ctx, decr + decr_len, (int *)&len)) {
- fr_tls_log_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__);
+ fr_tls_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__);
goto error;
}
decr_len += len;
evp_ctx = aka_sim_crypto_cipher_ctx();
if (unlikely(EVP_EncryptInit_ex(evp_ctx, evp_cipher, NULL,
packet_ctx->k_encr, packet_ctx->iv) != 1)) {
- fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context");
+ fr_tls_strerror_printf("Failed initialising AES-128-ECB context");
error:
talloc_free(encr);
return PAIR_ENCODE_FATAL_ERROR;
*/
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (unlikely(EVP_EncryptUpdate(evp_ctx, encr, (int *)&len, fr_dbuff_start(&work_dbuff), total_len) != 1)) {
- fr_tls_log_strerror_printf("%s: Failed encrypting attribute", __FUNCTION__);
+ fr_tls_strerror_printf("%s: Failed encrypting attribute", __FUNCTION__);
goto error;
}
encr_len = len;
if (unlikely(EVP_EncryptFinal_ex(evp_ctx, encr + encr_len, (int *)&len) != 1)) {
- fr_tls_log_strerror_printf("%s: Failed finalising encrypted attribute", __FUNCTION__);
+ fr_tls_strerror_printf("%s: Failed finalising encrypted attribute", __FUNCTION__);
goto error;
}
encr_len += len;
*/
evp_ctx = aka_sim_crypto_cipher_ctx();
if (unlikely(EVP_EncryptInit_ex(evp_ctx, EVP_aes_128_ecb(), NULL, key, NULL) != 1)) {
- fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context");
+ fr_tls_strerror_printf("Failed initialising AES-128-ECB context");
error:
return -1;
}
*/
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (unlikely(EVP_EncryptUpdate(evp_ctx, encr, (int *)&len, padded, sizeof(padded)) != 1)) {
- fr_tls_log_strerror_printf("Failed encrypting padded IMSI");
+ fr_tls_strerror_printf("Failed encrypting padded IMSI");
goto error;
}
encr_len = len;
if (unlikely(EVP_EncryptFinal_ex(evp_ctx, encr + len, (int *)&len) != 1)) {
- fr_tls_log_strerror_printf("Failed finalising encrypted IMSI");
+ fr_tls_strerror_printf("Failed finalising encrypted IMSI");
goto error;
}
encr_len += len;
evp_ctx = aka_sim_crypto_cipher_ctx();
if (unlikely(EVP_DecryptInit_ex(evp_ctx, EVP_aes_128_ecb(), NULL, key, NULL) != 1)) {
- fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context");
+ fr_tls_strerror_printf("Failed initialising AES-128-ECB context");
error:
return -1;
}
*/
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (unlikely(EVP_DecryptUpdate(evp_ctx, decr, (int *)&len, dec, sizeof(dec)) != 1)) {
- fr_tls_log_strerror_printf("Failed decypting IMSI");
+ fr_tls_strerror_printf("Failed decypting IMSI");
goto error;
}
decr_len = len;
if (unlikely(EVP_DecryptFinal_ex(evp_ctx, decr + len, (int *)&len) != 1)) {
- fr_tls_log_strerror_printf("Failed finalising decypted IMSI");
+ fr_tls_strerror_printf("Failed finalising decypted IMSI");
goto error;
}
decr_len += len;
size_t len = 0;
if (unlikely(EVP_EncryptInit_ex(evp_ctx, EVP_aes_128_ecb(), NULL, key, NULL) != 1)) {
- fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context");
+ fr_tls_strerror_printf("Failed initialising AES-128-ECB context");
return -1;
}
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (unlikely(EVP_EncryptUpdate(evp_ctx, out, (int *)&len, in, 16) != 1) ||
unlikely(EVP_EncryptFinal_ex(evp_ctx, out + len, (int *)&len) != 1)) {
- fr_tls_log_strerror_printf("Failed encrypting data");
+ fr_tls_strerror_printf("Failed encrypting data");
return -1;
}
evp_ctx = EVP_CIPHER_CTX_new();
if (!evp_ctx) {
- fr_tls_log_strerror_printf("Failed allocating EVP context");
+ fr_tls_strerror_printf("Failed allocating EVP context");
return -1;
}
evp_ctx = EVP_CIPHER_CTX_new();
if (!evp_ctx) {
- fr_tls_log_strerror_printf("Failed allocating EVP context");
+ fr_tls_strerror_printf("Failed allocating EVP context");
return -1;
}
evp_ctx = EVP_CIPHER_CTX_new();
if (!evp_ctx) {
- fr_tls_log_strerror_printf("Failed allocating EVP context");
+ fr_tls_strerror_printf("Failed allocating EVP context");
return -1;
}
ret = aes_128_encrypt_block(evp_ctx, ki, op, tmp);
bool *init = talloc_zero(NULL, bool);
if (ASYNC_init_thread(async_pool_size_max, async_pool_size_init) != 1) {
- fr_tls_log_error(NULL, "Failed initialising OpenSSL async context pool");
+ fr_tls_log(NULL, "Failed initialising OpenSSL async context pool");
return -1;
}
static void _openssl_provider_free(void)
{
if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
- fr_tls_log_error(NULL, "Failed unloading default provider");
+ fr_tls_log(NULL, "Failed unloading default provider");
}
openssl_default_provider = NULL;
if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
- fr_tls_log_error(NULL, "Failed unloading legacy provider");
+ fr_tls_log(NULL, "Failed unloading legacy provider");
}
openssl_legacy_provider = NULL;
}
* by OpenSSL.
*/
if (CRYPTO_set_mem_functions(fr_openssl_talloc, fr_openssl_talloc_realloc, fr_openssl_talloc_free) != 1) {
- fr_tls_log_error(NULL, "Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late");
+ fr_tls_log(NULL, "Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late");
return -1;
}
* the contexts have been cleaned up.
*/
if (OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT | OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
- fr_tls_log_error(NULL, "Failed calling OPENSSL_init_crypto()");
+ fr_tls_log(NULL, "Failed calling OPENSSL_init_crypto()");
return -1;
}
*/
openssl_default_provider = OSSL_PROVIDER_load(NULL, "default");
if (!openssl_default_provider) {
- fr_tls_log_error(NULL, "Failed loading default provider");
+ fr_tls_log(NULL, "Failed loading default provider");
return -1;
}
*/
openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
if (!openssl_legacy_provider) {
- fr_tls_log_error(NULL, "Failed loading legacy provider");
+ fr_tls_log(NULL, "Failed loading legacy provider");
return -1;
}
#endif
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
- fr_tls_log_error(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
+ fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
return -1;
}
#else
if (!FIPS_mode_set(enabled ? 1 : 0)) {
- fr_tls_log_error(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
+ fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
return -1;
}
#endif
if (ret != 1) {
SESSION_ID(sess_id, sess);
- fr_tls_log_error(request, "Session ID %pV - Failed setting application data", &sess_id);
+ fr_tls_log(request, "Session ID %pV - Failed setting application data", &sess_id);
return -1;
}
if (SSL_SESSION_get0_ticket_appdata(sess, (void **)&data, &data_len) != 1) {
SESSION_ID(sess_id, sess);
- fr_tls_log_error(request, "Session ID %pV - Failed retrieving application data", &sess_id);
+ fr_tls_log(request, "Session ID %pV - Failed retrieving application data", &sess_id);
return -1;
}
sess = d2i_SSL_SESSION(NULL, p, vp->vp_length);
if (!sess) {
- fr_tls_log_error(request, "Failed loading persisted session");
+ fr_tls_log(request, "Failed loading persisted session");
goto error;
}
fr_tls_cache_id_to_box_shallow(&id, sess);
/* something went wrong */
- fr_tls_log_strerror_printf(NULL); /* Drain the OpenSSL error stack */
+ fr_tls_strerror_printf(NULL); /* Drain the OpenSSL error stack */
RPWDEBUG("Session ID %pV - Serialisation failed, couldn't determine "
"required buffer length", &id);
error:
fr_value_box_t id;
fr_tls_cache_id_to_box_shallow(&id, sess);
- fr_tls_log_strerror_printf(NULL); /* Drain the OpenSSL error stack */
+ fr_tls_strerror_printf(NULL); /* Drain the OpenSSL error stack */
RPWDEBUG("Session ID %pV - Serialisation failed", &id);
talloc_free(data);
goto error;
key_len = SSL_CTX_set_tlsext_ticket_keys(ctx, NULL, 0);
if (unlikely((pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed initialising KDF");
kdf_error:
if (pkey_ctx) EVP_PKEY_CTX_free(pkey_ctx);
return -1;
}
if (unlikely(EVP_PKEY_derive_init(pkey_ctx) != 1)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed initialising KDF derivation ctx");
goto kdf_error;
}
if (unlikely(EVP_PKEY_CTX_set_hkdf_md(pkey_ctx, UNCONST(struct evp_md_st *, EVP_sha256())) != 1)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed setting KDF MD");
goto kdf_error;
}
if (unlikely(EVP_PKEY_CTX_set1_hkdf_key(pkey_ctx,
UNCONST(unsigned char *, cache_conf->session_ticket_key),
talloc_array_length(cache_conf->session_ticket_key)) != 1)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed setting KDF key");
goto kdf_error;
}
if (unlikely(EVP_PKEY_CTX_add1_hkdf_info(pkey_ctx,
UNCONST(unsigned char *, "freeradius-session-ticket"),
sizeof("freeradius-session-ticket") - 1) != 1)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed setting KDF label");
goto kdf_error;
}
*/
MEM(key_buff = talloc_array(NULL, uint8_t, key_len));
if (EVP_PKEY_derive(pkey_ctx, key_buff, &key_len) != 1) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed deriving session ticket key");
talloc_free(key_buff);
*/
if (SSL_CTX_set_tlsext_ticket_keys(ctx,
key_buff, key_len) != 1) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed setting session ticket keys");
return -1;
}
tls_cache_session_ticket_app_data_set,
tls_cache_session_ticket_app_data_get,
UNCONST(fr_tls_cache_conf_t *, cache_conf)) != 1)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed setting session ticket callbacks");
return -1;
}
/* Load the CAs we trust */
if (conf->ca_file || conf->ca_path)
if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) {
- fr_tls_log_error(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file);
+ fr_tls_log(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file);
X509_STORE_free(store);
return NULL;
}
}
if (!SSL_CTX_get0_chain_certs(ctx, &chain)) {
- fr_tls_log_error(NULL, "Failed retrieving chain certificates");
+ fr_tls_log(NULL, "Failed retrieving chain certificates");
return -1;
}
switch (fr_tls_cert_is_valid(NULL, ¬_after, to_verify)) {
case -1:
- fr_tls_log_certificate_chain_marker(NULL, L_ERR, chain, leaf, to_verify);
+ fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
PERROR("Malformed certificate");
return -1;
case -3:
switch (verify_mode) {
case FR_TLS_CHAIN_VERIFY_SOFT:
- fr_tls_log_certificate_chain_marker(NULL, L_WARN, chain, leaf, to_verify);
+ fr_tls_chain_marker_log(NULL, L_WARN, chain, leaf, to_verify);
PWARN("Certificate validation failed");
break;
case FR_TLS_CHAIN_VERIFY_HARD:
- fr_tls_log_certificate_chain_marker(NULL, L_ERR, chain, leaf, to_verify);
+ fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
PERROR("Certificate validation failed");
return -1;
case FR_TLS_CHAIN_VERIFY_SOFT:
WARN("Found multiple self-signed certificates in chain");
WARN("First certificate was:");
- fr_tls_log_certificate_chain_marker(NULL, L_WARN,
+ fr_tls_chain_marker_log(NULL, L_WARN,
chain, leaf, *self_signed);
WARN("Second certificate was:");
- fr_tls_log_certificate_chain_marker(NULL, L_WARN,
+ fr_tls_chain_marker_log(NULL, L_WARN,
chain, leaf, to_verify);
break;
case FR_TLS_CHAIN_VERIFY_HARD:
ERROR("Found multiple self-signed certificates in chain");
ERROR("First certificate was:");
- fr_tls_log_certificate_chain_marker(NULL, L_ERR,
+ fr_tls_chain_marker_log(NULL, L_ERR,
chain, leaf, *self_signed);
ERROR("Second certificate was:");
- fr_tls_log_certificate_chain_marker(NULL, L_ERR,
+ fr_tls_chain_marker_log(NULL, L_ERR,
chain, leaf, to_verify);
return -1;
switch (chain->file_format) {
case SSL_FILETYPE_PEM:
if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) {
- fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"",
+ fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
chain->certificate_file);
return -1;
}
case SSL_FILETYPE_ASN1:
if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) {
- fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"",
+ fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
chain->certificate_file);
return -1;
}
}
if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) {
- fr_tls_log_error(NULL, "Failed reading private key file \"%s\"",
+ fr_tls_log(NULL, "Failed reading private key file \"%s\"",
chain->private_key_file);
return -1;
}
fclose(fp);
if (!cert) {
- fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"", filename);
+ fr_tls_log(NULL, "Failed reading certificate file \"%s\"", filename);
return -1;
}
SSL_CTX_add0_chain_cert(ctx, cert);
chain->verify_mode) < 0) return -1;
if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
- fr_tls_log_error(NULL, "Failed retrieving chain certificates");
+ fr_tls_log(NULL, "Failed retrieving chain certificates");
return -1;
}
*/
case FR_TLS_CHAIN_VERIFY_SOFT:
if (!SSL_CTX_build_cert_chain(ctx, mode)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PWARN("Failed verifying chain");
}
break;
case FR_TLS_CHAIN_VERIFY_HARD:
if (!SSL_CTX_build_cert_chain(ctx, mode)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("Failed verifying chain");
return -1;
}
}
if (!SSL_CTX_set_max_proto_version(ctx, max_version)) {
- fr_tls_log_error(NULL, "Failed setting TLS maximum version");
+ fr_tls_log(NULL, "Failed setting TLS maximum version");
goto error;
}
}
}
if (!SSL_CTX_set_min_proto_version(ctx, min_version)) {
- fr_tls_log_error(NULL, "Failed setting TLS minimum version");
+ fr_tls_log(NULL, "Failed setting TLS minimum version");
goto error;
}
}
ctx = SSL_CTX_new(SSLv23_method());
if (!ctx) {
- fr_tls_log_error(NULL, "Failed creating TLS context");
+ fr_tls_log(NULL, "Failed creating TLS context");
return NULL;
}
* It's also possible to add extra virtual server lookups
*/
if (!X509_STORE_load_locations(verify_store, conf->ca_file, conf->ca_path)) {
- fr_tls_log_error(NULL, "Failed reading Trusted root CA list \"%s\"",
+ fr_tls_log(NULL, "Failed reading Trusted root CA list \"%s\"",
conf->ca_file);
goto error;
}
*/
DEBUG3("%s chain", fr_tls_utils_x509_pkey_type(our_cert));
if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
- fr_tls_log_error(NULL, "Failed retrieving chain certificates");
+ fr_tls_log(NULL, "Failed retrieving chain certificates");
goto error;
}
- if (DEBUG_ENABLED3) fr_tls_log_certificate_chain(NULL, L_DBG, our_chain, our_cert);
+ if (DEBUG_ENABLED3) fr_tls_chain_log(NULL, L_DBG, our_chain, our_cert);
}
(void)SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); /* Reset */
}
if (conf->verify.check_crl) {
cert_vpstore = SSL_CTX_get_cert_store(ctx);
if (cert_vpstore == NULL) {
- fr_tls_log_error(NULL, "Error reading Certificate Store");
+ fr_tls_log(NULL, "Error reading Certificate Store");
goto error;
}
X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
*/
if (conf->cipher_list) {
if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
- fr_tls_log_error(NULL, "Failed setting cipher list");
+ fr_tls_log(NULL, "Failed setting cipher list");
goto error;
}
}
ssl = SSL_new(ctx);
if (!ssl) {
- fr_tls_log_error(NULL, "Failed creating temporary SSL session");
+ fr_tls_log(NULL, "Failed creating temporary SSL session");
goto error;
}
* so someone will investigate.
*/
if (unlikely(ENGINE_finish(our_e->e) != 1)) {
- fr_tls_log_error(NULL, "de-init on engine %s failed", our_e->id);
+ fr_tls_log(NULL, "de-init on engine %s failed", our_e->id);
return -1;
}
if (unlikely(ENGINE_free(our_e->e) != 1)) {
- fr_tls_log_error(NULL, "free on engine %s failed", our_e->id);
+ fr_tls_log(NULL, "free on engine %s failed", our_e->id);
return -1;
}
* success or 0 on error.
*/
if (ret != 1) {
- fr_tls_log_strerror_printf("control %s failed (%i)", ctrl->name, ret);
+ fr_tls_strerror_printf("control %s failed (%i)", ctrl->name, ret);
goto error;
}
}
if (unlikely(ENGINE_init(e) != 1)) {
- fr_tls_log_strerror_printf("failed initialising engine %s", id);
+ fr_tls_strerror_printf("failed initialising engine %s", id);
goto error;
}
*/
static _Thread_local fr_tls_log_bio_t *global_log_bio;
-static void _tls_ctx_print_cert_line(char const *file, int line,
- request_t *request, fr_log_type_t log_type, int idx, X509 *cert)
+static void _tls_cert_line_push(char const *file, int line, int idx, X509 *cert)
{
char subject[1024];
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject));
subject[sizeof(subject) - 1] = '\0';
- if (request) {
- log_request(log_type, fr_debug_lvl, request, file, line,
- "[%i] %s %s", idx, fr_tls_utils_x509_pkey_type(cert), subject);
- } else {
- fr_log(LOG_DST, log_type, file, line,
- "[%i] %s %s", idx, fr_tls_utils_x509_pkey_type(cert), subject);
- }
+ _fr_strerror_printf_push(file, line, "[%i] %s %s", idx, fr_tls_utils_x509_pkey_type(cert), subject);
}
-static void _tls_ctx_print_cert_line_marker(char const *file, int line,
- request_t *request, fr_log_type_t log_type, int idx,
- X509 *cert, bool marker)
+static void _tls_cert_line_marker_push(char const *file, int line,
+ int idx, X509 *cert, bool marker)
{
char subject[1024];
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject));
subject[sizeof(subject) - 1] = '\0';
- if (request) {
- log_request(log_type, fr_debug_lvl, request, file, line,
- "%s [%i] %s %s", marker ? ">" : " ",
- idx, fr_tls_utils_x509_pkey_type(cert), subject);
- } else {
- fr_log(LOG_DST, log_type, file, line,
- "%s [%i] %s %s", marker ? ">" : " ",
- idx, fr_tls_utils_x509_pkey_type(cert), subject);
- }
+ _fr_strerror_printf_push(file, line, "%s [%i] %s %s", marker ? ">" : " ",
+ idx, fr_tls_utils_x509_pkey_type(cert), subject);
}
-static void _tls_ctx_print_cert_line_no_idx(char const *file, int line,
- request_t *request, fr_log_type_t log_type, X509 *cert)
+static void _tls_cert_line_marker_no_idx_push(char const *file, int line, X509 *cert)
{
char subject[1024];
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject));
subject[sizeof(subject) - 1] = '\0';
- if (request) {
- log_request(log_type, fr_debug_lvl, request, file, line,
- "%s %s", fr_tls_utils_x509_pkey_type(cert), subject);
- } else {
- fr_log(LOG_DST, log_type, file, line,
- "%s %s", fr_tls_utils_x509_pkey_type(cert), subject);
- }
+ _fr_strerror_printf_push(file, line, "%s %s", fr_tls_utils_x509_pkey_type(cert), subject);
}
DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */
-/** Print out the current stack of certs
+/** Print out the current stack of certs to the thread local error buffer
*
* @param[in] file File where this function is being called.
* @param[in] line Line where this function is being called.
- * @param[in] request Current request, may be NULL.
- * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc...
* @param[in] chain The certificate chain.
* @param[in] cert The leaf certificate.
*/
-void _fr_tls_log_certificate_chain(char const *file, int line,
- request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *cert)
+void _fr_tls_chain_push(char const *file, int line, STACK_OF(X509) *chain, X509 *cert)
{
int i;
for (i = sk_X509_num(chain); i > 0 ; i--) {
- _tls_ctx_print_cert_line(file, line, request, log_type, i, sk_X509_value(chain, i - 1));
+ _tls_cert_line_push(file, line, i, sk_X509_value(chain, i - 1));
}
- if (cert) _tls_ctx_print_cert_line(file, line, request, log_type, i, cert);
+ if (cert) _tls_cert_line_push(file, line, i, cert);
}
/** Print out the current stack of certs
* @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc...
* @param[in] chain The certificate chain.
* @param[in] cert The leaf certificate.
+ */
+void _fr_tls_chain_log(char const *file, int line,
+ request_t *request, fr_log_type_t log_type,
+ STACK_OF(X509) *chain, X509 *cert)
+{
+ /*
+ * Dump to the thread local buffer
+ */
+ fr_strerror_clear();
+ _fr_tls_chain_push(file, line, chain, cert);
+ if (request) {
+ log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL);
+ } else {
+ fr_perror(NULL);
+ }
+}
+
+/** Print out the current stack of certs to the thread local error buffer
+ *
+ * @param[in] file File where this function is being called.
+ * @param[in] line Line where this function is being called.
+ * @param[in] chain The certificate chain.
+ * @param[in] cert The leaf certificate.
* @param[in] marker The certificate we want to mark.
*/
-void _fr_tls_log_certificate_chain_marker(char const *file, int line,
- request_t *request, fr_log_type_t log_type,
- STACK_OF(X509) *chain, X509 *cert, X509 *marker)
+void _fr_tls_chain_marker_push(char const *file, int line,
+ STACK_OF(X509) *chain, X509 *cert, X509 *marker)
{
int i;
for (i = sk_X509_num(chain); i > 0 ; i--) {
X509 *selected = sk_X509_value(chain, i - 1);
- _tls_ctx_print_cert_line_marker(file, line, request, log_type, i, selected, (selected == marker));
+ _tls_cert_line_marker_push(file, line, i, selected, (selected == marker));
+ }
+ if (cert) _tls_cert_line_marker_push(file, line, i, cert, (cert == marker));
+}
+
+/** Print out the current stack of certs
+ *
+ * @param[in] file File where this function is being called.
+ * @param[in] line Line where this function is being called.
+ * @param[in] request Current request, may be NULL.
+ * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc...
+ * @param[in] chain The certificate chain.
+ * @param[in] cert The leaf certificate.
+ * @param[in] marker The certificate we want to mark.
+ */
+void _fr_tls_chain_marker_log(char const *file, int line,
+ request_t *request, fr_log_type_t log_type,
+ STACK_OF(X509) *chain, X509 *cert, X509 *marker)
+{
+ /*
+ * Dump to the thread local buffer
+ */
+ fr_strerror_clear();
+ _fr_tls_chain_marker_push(file, line, chain, cert, marker);
+ if (request) {
+ log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL);
+ } else {
+ fr_perror(NULL);
}
- if (cert) _tls_ctx_print_cert_line_marker(file, line, request, log_type, i, cert, (cert == marker));
}
/** Print out the current stack of X509 objects (certificates only)
*
* @param[in] file File where this function is being called.
* @param[in] line Line where this function is being called.
- * @param[in] request Current request, may be NULL.
- * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc...
* @param[in] objects A stack of X509 objects
*/
-void _fr_tls_log_x509_objects(char const *file, int line,
- request_t *request, fr_log_type_t log_type,
- STACK_OF(X509_OBJECT) *objects)
+void _fr_tls_x509_objects_push(char const *file, int line,
+ STACK_OF(X509_OBJECT) *objects)
{
int i;
switch (X509_OBJECT_get_type(obj)) {
case X509_LU_X509: /* X509 certificate */
- _tls_ctx_print_cert_line_no_idx(file, line, request, log_type, X509_OBJECT_get0_X509(obj));
+ /*
+ * Dump to the thread local buffer
+ */
+ _tls_cert_line_marker_no_idx_push(file, line, X509_OBJECT_get0_X509(obj));
break;
case X509_LU_CRL: /* Certificate revocation list */
}
}
+/** Print out the current stack of X509 objects (certificates only)
+ *
+ * @param[in] file File where this function is being called.
+ * @param[in] line Line where this function is being called.
+ * @param[in] request Current request, may be NULL.
+ * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc...
+ * @param[in] objects A stack of X509 objects
+ */
+void _fr_tls_x509_objects_log(char const *file, int line,
+ request_t *request, fr_log_type_t log_type,
+ STACK_OF(X509_OBJECT) *objects)
+{
+
+ fr_strerror_clear();
+ _fr_tls_x509_objects_push(file, line, objects);
+ if (request) {
+ log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL);
+ } else {
+ fr_perror(NULL);
+ }
+}
+
DIAG_OFF(format-nonliteral)
/** Print errors in the TLS thread local error stack
*
* @param[in] ... Arguments for msg.
* @return the number of errors drained from the stack.
*/
-int fr_tls_log_strerror_printf(char const *msg, ...)
+int fr_tls_strerror_printf(char const *msg, ...)
{
va_list ap;
int ret;
* @param[in] ... Arguments for msg.
* @return the number of errors drained from the stack.
*/
-int fr_tls_log_error(request_t *request, char const *msg, ...)
+int fr_tls_log(request_t *request, char const *msg, ...)
{
va_list ap;
int ret;
/** Clear errors in the TLS thread local error stack
*
*/
-void tls_log_clear(void)
+void fr_tls_log_clear(void)
{
while (ERR_get_error() != 0);
}
#include "base.h"
-#define fr_tls_log_certificate_chain(...) \
- _fr_tls_log_certificate_chain( __FILE__, __LINE__, ## __VA_ARGS__)
-void _fr_tls_log_certificate_chain(char const *file, int line,
- request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf);
-
-#define fr_tls_log_certificate_chain_marker(...) \
- _fr_tls_log_certificate_chain_marker( __FILE__, __LINE__, ## __VA_ARGS__)
-void _fr_tls_log_certificate_chain_marker(char const *file, int line,
- request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain,
- X509 *leaf, X509 *marker);
-
-#define fr_tls_log_x509_objects(...) \
- _fr_tls_log_x509_objects( __FILE__, __LINE__, ## __VA_ARGS__)
-void _fr_tls_log_x509_objects(char const *file, int line,
+/** Push a representation of a certificate chain onto the thread local error stack
+ *
+ * @param[in] _chain A stack of X509 certificates representing the chain.
+ * @param[in] _leaf The leaf certificate. May be NULL.
+ * @param[in] _marker The certificate to emit a marker for.
+ */
+#define fr_tls_chain_push(_chain, _leaf) \
+ _fr_tls_chain_push( __FILE__, __LINE__, _chain, _leaf)
+void _fr_tls_chain_push(char const *file, int line, STACK_OF(X509) *chain, X509 *cert);
+
+/** Write out a certificate chain to the request or global log
+ *
+ * @param[in] _request The current request or NULL if you want to write to the global log.
+ * @param[in] _log_type Type of log message to create.
+ * @param[in] _chain A stack of X509 certificates representing the chain.
+ * @param[in] _leaf The leaf certificate. May be NULL.
+ */
+#define fr_tls_chain_log(_request, _log_type, _chain, _leaf) \
+ _fr_tls_chain_log( __FILE__, __LINE__, _request, _log_type, _chain, _leaf)
+void _fr_tls_chain_log(char const *file, int line,
+ request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf);
+
+/** Push a representation of a certificate chain with a marker onto the thread local error stack
+ *
+ * @param[in] _chain A stack of X509 certificates representing the chain.
+ * @param[in] _leaf The leaf certificate. May be NULL.
+ * @param[in] _marker The certificate to emit a marker for.
+ */
+#define fr_tls_chain_marker_push(_chain, _leaf, _marker) \
+ _fr_tls_chain_push( __FILE__, __LINE__, _chain, _leaf, _marker)
+void _fr_tls_chain_marker_push(char const *file, int line,
+ STACK_OF(X509) *chain, X509 *cert, X509 *marker);
+
+/** Write out a certificate chain with a marker to the request or global log
+ *
+ * @param[in] _request The current request or NULL if you want to write to the global log.
+ * @param[in] _log_type Type of log message to create.
+ * @param[in] _chain A stack of X509 certificates representing the chain.
+ * @param[in] _leaf The leaf certificate. May be NULL.
+ * @param[in] _marker Emit a marker for this certificate.
+ */
+#define fr_tls_chain_marker_log(_request, _log_type, _chain, _leaf, _marker) \
+ _fr_tls_chain_marker_log( __FILE__, __LINE__, _request, _log_type, _chain, _leaf, _marker)
+void _fr_tls_chain_marker_log(char const *file, int line,
+ request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf,
+ X509 *marker);
+
+/** Push a collection of X509 objects into the thread local error stack
+ *
+ * @param[in] _objects to push onto the thread local error stack
+ */
+#define fr_tls_x509_objects_push(_objects) \
+ _fr_tls_x509_objects_push( __FILE__, __LINE__, _objects)
+void _fr_tls_x509_objects_push(char const *file, int line,
+ STACK_OF(X509_OBJECT) *objects);
+
+/** Write out a collection of X509 objects to the request or global log
+ *
+ * @param[in] _request The current request or NULL if you want to write to the global log.
+ * @param[in] _log_type Type of log message to create.
+ * @param[in] _objects to print to the log
+ */
+#define fr_tls_x509_objects_log(_request, _log_type, _objects) \
+ _fr_tls_x509_objects_log( __FILE__, __LINE__, _request, _log_type, _objects)
+void _fr_tls_x509_objects_log(char const *file, int line,
request_t *request, fr_log_type_t log_type,
STACK_OF(X509_OBJECT) *objects);
int fr_tls_log_io_error(request_t *request, int err, char const *msg, ...)
CC_HINT(format (printf, 3, 4));
-int fr_tls_log_strerror_printf(char const *msg, ...) CC_HINT(format (printf, 1, 2));
+int fr_tls_strerror_printf(char const *msg, ...) CC_HINT(format (printf, 1, 2));
-int fr_tls_log_error(request_t *request, char const *msg, ...) CC_HINT(format (printf, 2, 3));
+int fr_tls_log(request_t *request, char const *msg, ...) CC_HINT(format (printf, 2, 3));
-void tls_log_clear(void);
+void fr_tls_log_clear(void);
/** Return a BIO that writes to the log of the specified request
*
if (unlikely(X509_NAME_print_ex(fr_tls_bio_dbuff_thread_local(vp, 256, 0),
X509_get_subject_name(cert), 0, XN_FLAG_ONELINE) < 0)) {
fr_tls_bio_dbuff_thread_local_clear();
- fr_tls_log_error(request, "Failed retrieving certificate subject");
+ fr_tls_log(request, "Failed retrieving certificate subject");
error:
fr_pair_list_free(pair_list);
return -1;
slen = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, cn, (size_t)slen + 1);
if (slen < 0) {
- fr_tls_log_error(request, "Failed retrieving certificate common name");
+ fr_tls_log(request, "Failed retrieving certificate common name");
goto error;
}
}
if (unlikely(X509_NAME_print_ex(fr_tls_bio_dbuff_thread_local(vp, 256, 0),
X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE) < 0)) {
fr_tls_bio_dbuff_thread_local_clear();
- fr_tls_log_error(request, "Failed retrieving certificate issuer");
+ fr_tls_log(request, "Failed retrieving certificate issuer");
goto error;
}
fr_pair_value_bstrdup_buffer_shallow(vp, fr_tls_bio_dbuff_thread_local_finalise_bstr(), true);
serial = X509_get0_serialNumber(cert);
if (!serial) {
- fr_tls_log_error(request, "Failed retrieving certificate serial");
+ fr_tls_log(request, "Failed retrieving certificate serial");
goto error;
}
RDEBUG2("Asking for more data in tunnel");
} else {
- fr_tls_log_error(NULL, NULL);
+ fr_tls_log(NULL, NULL);
record_init(&tls_session->dirty_in);
goto error;
}
ssl = SSL_new(ssl_ctx);
if (ssl == NULL) {
- fr_tls_log_error(request, "Error creating new TLS session");
+ fr_tls_log(request, "Error creating new TLS session");
return NULL;
}
fr_pair_list_init(&tls_session->extra_pairs);
RDEBUG2("Loading TLS session certificate \"%pV\"", &vp->data);
if (SSL_use_certificate_file(tls_session->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
- fr_tls_log_error(request, "Failed loading TLS session certificate \"%s\"",
+ fr_tls_log(request, "Failed loading TLS session certificate \"%s\"",
vp->vp_strvalue);
goto error;
}
if (SSL_use_PrivateKey_file(tls_session->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
- fr_tls_log_error(request, "Failed loading TLS session certificate \"%s\"",
+ fr_tls_log(request, "Failed loading TLS session certificate \"%s\"",
vp->vp_strvalue);
goto error;
}
if (SSL_check_private_key(tls_session->ssl) != 1) {
- fr_tls_log_error(request, "Failed validating TLS session certificate \"%s\"",
+ fr_tls_log(request, "Failed validating TLS session certificate \"%s\"",
vp->vp_strvalue);
goto error;
}
RDEBUG2("Static certificates in verification store are");
if (RDEBUG_ENABLED2) {
RINDENT();
- fr_tls_log_x509_objects(request, L_DBG, X509_STORE_get0_objects(store));
+ fr_tls_x509_objects_log(request, L_DBG, X509_STORE_get0_objects(store));
REXDENT();
}
break;
fclose(fp);
if (!pkey) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
cf_log_perr(ci, "Error loading private certificate file \"%s\"", filename);
return -1;
fclose(fp);
if (!cert) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
cf_log_perr(ci, "Error loading certificate file \"%s\"", filename);
return -1;
*/
pkey = X509_get_pubkey(cert);
if (!pkey) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
cf_log_perr(ci, "Failed extracting public key from certificate");
return -1;
RHEXDUMP3((uint8_t const *)plaintext, plaintext_len, "Plaintext (%zu bytes)", plaintext_len);
if (EVP_PKEY_encrypt(t->evp_encrypt_ctx, NULL, &ciphertext_len,
(unsigned char const *)plaintext, plaintext_len) <= 0) {
- fr_tls_log_error(request, "Failed getting length of encrypted plaintext");
+ fr_tls_log(request, "Failed getting length of encrypted plaintext");
return XLAT_ACTION_FAIL;
}
MEM(fr_value_box_mem_alloc(vb, &ciphertext, vb, NULL, ciphertext_len, false) == 0);
if (EVP_PKEY_encrypt(t->evp_encrypt_ctx, ciphertext, &ciphertext_len,
(unsigned char const *)plaintext, plaintext_len) <= 0) {
- fr_tls_log_error(request, "Failed encrypting plaintext");
+ fr_tls_log(request, "Failed encrypting plaintext");
talloc_free(vb);
return XLAT_ACTION_FAIL;
}
* First produce a digest of the message
*/
if (unlikely(EVP_DigestInit_ex(t->evp_md_ctx, inst->rsa->sig_digest, NULL) <= 0)) {
- fr_tls_log_error(request, "Failed initialising message digest");
+ fr_tls_log(request, "Failed initialising message digest");
return XLAT_ACTION_FAIL;
}
if (EVP_DigestUpdate(t->evp_md_ctx, msg, msg_len) <= 0) {
- fr_tls_log_error(request, "Failed ingesting message");
+ fr_tls_log(request, "Failed ingesting message");
return XLAT_ACTION_FAIL;
}
if (EVP_DigestFinal_ex(t->evp_md_ctx, t->digest_buff, &digest_len) <= 0) {
- fr_tls_log_error(request, "Failed finalising message digest");
+ fr_tls_log(request, "Failed finalising message digest");
return XLAT_ACTION_FAIL;
}
fr_assert((size_t)digest_len == talloc_array_length(t->digest_buff));
* Then sign the digest
*/
if (EVP_PKEY_sign(t->evp_sign_ctx, NULL, &sig_len, t->digest_buff, (size_t)digest_len) <= 0) {
- fr_tls_log_error(request, "Failed getting length of digest");
+ fr_tls_log(request, "Failed getting length of digest");
return XLAT_ACTION_FAIL;
}
MEM(vb = fr_value_box_alloc_null(ctx));
MEM(fr_value_box_mem_alloc(vb, &sig, vb, NULL, sig_len, false) == 0);
if (EVP_PKEY_sign(t->evp_sign_ctx, sig, &sig_len, t->digest_buff, (size_t)digest_len) <= 0) {
- fr_tls_log_error(request, "Failed signing message digest");
+ fr_tls_log(request, "Failed signing message digest");
talloc_free(vb);
return XLAT_ACTION_FAIL;
}
*/
RHEXDUMP3(ciphertext, ciphertext_len, "Ciphertext (%zu bytes)", ciphertext_len);
if (EVP_PKEY_decrypt(t->evp_decrypt_ctx, NULL, &plaintext_len, ciphertext, ciphertext_len) <= 0) {
- fr_tls_log_error(request, "Failed getting length of cleartext");
+ fr_tls_log(request, "Failed getting length of cleartext");
return XLAT_ACTION_FAIL;
}
MEM(fr_value_box_bstr_alloc(vb, &plaintext, vb, NULL, plaintext_len, true) == 0);
if (EVP_PKEY_decrypt(t->evp_decrypt_ctx, (unsigned char *)plaintext, &plaintext_len,
ciphertext, ciphertext_len) <= 0) {
- fr_tls_log_error(request, "Failed decrypting ciphertext");
+ fr_tls_log(request, "Failed decrypting ciphertext");
talloc_free(vb);
return XLAT_ACTION_FAIL;
}
* First produce a digest of the message
*/
if (unlikely(EVP_DigestInit_ex(t->evp_md_ctx, inst->rsa->sig_digest, NULL) <= 0)) {
- fr_tls_log_error(request, "Failed initialising message digest");
+ fr_tls_log(request, "Failed initialising message digest");
return XLAT_ACTION_FAIL;
}
if (EVP_DigestUpdate(t->evp_md_ctx, msg, msg_len) <= 0) {
- fr_tls_log_error(request, "Failed ingesting message");
+ fr_tls_log(request, "Failed ingesting message");
return XLAT_ACTION_FAIL;
}
if (EVP_DigestFinal_ex(t->evp_md_ctx, t->digest_buff, &digest_len) <= 0) {
- fr_tls_log_error(request, "Failed finalising message digest");
+ fr_tls_log(request, "Failed finalising message digest");
return XLAT_ACTION_FAIL;
}
fr_assert((size_t)digest_len == talloc_array_length(t->digest_buff));
break;
default:
- fr_tls_log_error(request, "Failed validating signature");
+ fr_tls_log(request, "Failed validating signature");
return XLAT_ACTION_FAIL;
}
MEM(fr_value_box_mem_alloc(vb, &digest, vb, NULL, md_len, false) == 0);
if (X509_digest(inst->rsa->x509_certificate_file, md, digest, (unsigned int *)&md_len) != 1) {
- fr_tls_log_error(request, "Failed calculating certificate fingerprint");
+ fr_tls_log(request, "Failed calculating certificate fingerprint");
talloc_free(vb);
return XLAT_ACTION_FAIL;
}
serial = X509_get0_serialNumber(inst->rsa->x509_certificate_file);
if (!serial) {
- fr_tls_log_error(request, "Failed retrieving certificate serial");
+ fr_tls_log(request, "Failed retrieving certificate serial");
return XLAT_ACTION_FAIL;
}
static int cipher_rsa_padding_params_set(EVP_PKEY_CTX *evp_pkey_ctx, cipher_rsa_t const *rsa_inst)
{
if (unlikely(EVP_PKEY_CTX_set_rsa_padding(evp_pkey_ctx, rsa_inst->padding)) <= 0) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed setting RSA padding type", __FUNCTION__);
return -1;
}
*/
case RSA_PKCS1_OAEP_PADDING:
if (unlikely(EVP_PKEY_CTX_set_rsa_oaep_md(evp_pkey_ctx, rsa_inst->oaep->oaep_digest) <= 0)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed setting OAEP digest", __FUNCTION__);
return -1;
}
if (unlikely(EVP_PKEY_CTX_set_rsa_mgf1_md(evp_pkey_ctx, rsa_inst->oaep->mgf1_digest) <= 0)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed setting MGF1 digest", __FUNCTION__);
return -1;
}
*/
MEM(label = talloc_bstrndup(evp_pkey_ctx, rsa_inst->oaep->label, label_len));
if (unlikely(EVP_PKEY_CTX_set0_rsa_oaep_label(evp_pkey_ctx, label, label_len) <= 0)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed setting OAEP padding label", __FUNCTION__);
OPENSSL_free(label);
return -1;
*/
ti->evp_encrypt_ctx = EVP_PKEY_CTX_new(inst->rsa->certificate_file, NULL);
if (!ti->evp_encrypt_ctx) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed allocating encrypt EVP_PKEY_CTX", __FUNCTION__);
return -1;
}
* Configure encrypt
*/
if (unlikely(EVP_PKEY_encrypt_init(ti->evp_encrypt_ctx) <= 0)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed initialising encrypt EVP_PKEY_CTX", __FUNCTION__);
return XLAT_ACTION_FAIL;
}
*/
ti->ePAIR_VERIFY_ctx = EVP_PKEY_CTX_new(inst->rsa->certificate_file, NULL);
if (!ti->ePAIR_VERIFY_ctx) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed allocating verify EVP_PKEY_CTX", __FUNCTION__);
return -1;
}
* Configure verify
*/
if (unlikely(EVP_PKEY_verify_init(ti->ePAIR_VERIFY_ctx) <= 0)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed initialising verify EVP_PKEY_CTX", __FUNCTION__);
return XLAT_ACTION_FAIL;
}
}
if (unlikely(EVP_PKEY_CTX_set_signature_md(ti->ePAIR_VERIFY_ctx, inst->rsa->sig_digest)) <= 0) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed setting signature digest type", __FUNCTION__);
return XLAT_ACTION_FAIL;
}
*/
ti->evp_decrypt_ctx = EVP_PKEY_CTX_new(inst->rsa->private_key_file, NULL);
if (!ti->evp_decrypt_ctx) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed allocating decrypt EVP_PKEY_CTX", __FUNCTION__);
return -1;
}
* Configure decrypt
*/
if (unlikely(EVP_PKEY_decrypt_init(ti->evp_decrypt_ctx) <= 0)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed initialising decrypt EVP_PKEY_CTX", __FUNCTION__);
return XLAT_ACTION_FAIL;
}
*/
ti->evp_sign_ctx = EVP_PKEY_CTX_new(inst->rsa->private_key_file, NULL);
if (!ti->evp_sign_ctx) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed allocating sign EVP_PKEY_CTX", __FUNCTION__);
return -1;
}
* Configure sign
*/
if (unlikely(EVP_PKEY_sign_init(ti->evp_sign_ctx) <= 0)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed initialising sign EVP_PKEY_CTX", __FUNCTION__);
return XLAT_ACTION_FAIL;
}
}
if (unlikely(EVP_PKEY_CTX_set_signature_md(ti->evp_sign_ctx, inst->rsa->sig_digest)) <= 0) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed setting signature digest type", __FUNCTION__);
return XLAT_ACTION_FAIL;
}
*/
ti->evp_md_ctx = EVP_MD_CTX_create();
if (!ti->evp_md_ctx) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
PERROR("%s: Failed allocating EVP_MD_CTX", __FUNCTION__);
return -1;
}
if (inst->rsa->private_key_file && inst->rsa->x509_certificate_file) {
if (X509_check_private_key(inst->rsa->x509_certificate_file,
inst->rsa->private_key_file) == 0) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
cf_log_perr(conf, "Private key does not match the certificate public key");
return -1;
}
*/
if (SSL_export_keying_material(ssl, challenge, vp->vp_length + 1,
label, sizeof(label) - 1, NULL, 0, 0) != 1) {
- fr_tls_log_strerror_printf("Failed generating phase2 challenge");
+ fr_tls_strerror_printf("Failed generating phase2 challenge");
goto error;
}
MEM(evp_ctx = EVP_CIPHER_CTX_new());
if (unlikely(EVP_CIPHER_CTX_set_key_length(evp_ctx, nt_password->vp_length)) != 1) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
RPERROR("Failed setting key length");
return -1;
}
if (unlikely(EVP_EncryptInit_ex(evp_ctx, EVP_rc4(), NULL, nt_password->vp_octets, NULL) != 1)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
RPERROR("Failed initialising RC4 ctx");
return -1;
}
if (unlikely(EVP_EncryptUpdate(evp_ctx, nt_pass_decrypted, &ntlen, new_nt_password, ntlen) != 1)) {
- fr_tls_log_strerror_printf(NULL);
+ fr_tls_strerror_printf(NULL);
RPERROR("Failed ingesting new password");
return -1;
}
cert = SSL_get_certificate(ssl);
if (!cert) {
- fr_tls_log_error(request, "No server certificate found in SSL session");
+ fr_tls_log(request, "No server certificate found in SSL session");
error:
X509_STORE_CTX_free(server_store_ctx);
X509_STORE_free(server_store);
server_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl));
if (!server_store) {
- fr_tls_log_error(request, "Failed retrieving SSL session cert store");
+ fr_tls_log(request, "Failed retrieving SSL session cert store");
goto error;
}
(void)SSL_get0_chain_certs(ssl, &our_chain);
if (!our_chain) {
#endif
- fr_tls_log_error(request, "Failed retrieving chain certificates from current SSL session");
+ fr_tls_log(request, "Failed retrieving chain certificates from current SSL session");
goto error;
}
if (RDEBUG_ENABLED3) {
RDEBUG3("Current SSL session cert store contents");
RINDENT();
- fr_tls_log_certificate_chain(request, L_DBG, our_chain, cert);
+ fr_tls_chain_log(request, L_DBG, our_chain, cert);
REXDENT();
}
for (i = 0; i < num; i++) {
if (X509_STORE_add_cert(server_store, sk_X509_value(our_chain, i)) != 1) {
- fr_tls_log_error(request, "Failed adding certificate to trusted store");
+ fr_tls_log(request, "Failed adding certificate to trusted store");
goto error;
}
}
*/
MEM(server_store_ctx = X509_STORE_CTX_new());
if (X509_STORE_CTX_init(server_store_ctx, server_store, NULL, NULL) == 0) {
- fr_tls_log_error(request, "Failed initialising SSL session cert store ctx");
+ fr_tls_log(request, "Failed initialising SSL session cert store ctx");
goto error;
}
subject = X509_get_subject_name(cert);
if (!subject) {
- fr_tls_log_error(request, "Couldn't retrieve subject name of SSL session cert");
+ fr_tls_log(request, "Couldn't retrieve subject name of SSL session cert");
goto error;
}
MEM(subject_str = X509_NAME_oneline(subject, NULL, 0));
issuer = X509_get_issuer_name(cert);
if (!issuer) {
- fr_tls_log_error(request, "Couldn't retrieve issuer name of SSL session cert");
+ fr_tls_log(request, "Couldn't retrieve issuer name of SSL session cert");
OPENSSL_free(subject_str);
goto error;
}
switch (ret) {
case 0:
- fr_tls_log_error(request, "Issuer \"%s\" of \"%s\" not found in certificate store",
+ fr_tls_log(request, "Issuer \"%s\" of \"%s\" not found in certificate store",
issuer_str, subject_str);
break;
default:
- fr_tls_log_error(request, "Error retrieving issuer \"%s\" of \"%s\" from certificate store",
+ fr_tls_log(request, "Error retrieving issuer \"%s\" of \"%s\" from certificate store",
issuer_str, subject_str);
break;
}
(int)iterations,
evp_md,
(int)digest_len, (unsigned char *)digest) == 0) {
- fr_tls_log_error(request, "PBKDF2 digest failure");
+ fr_tls_log(request, "PBKDF2 digest failure");
goto finish;
}
projects / thirdparty / freeradius-server.git / commitdiff
