From: Arran Cudbard-Bell Date: Wed, 5 Oct 2022 03:37:16 +0000 (-0400) Subject: Convert more TLS functions to strerror style X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fc904c7410f340000ffdef12865df4ab764d1da;p=thirdparty%2Ffreeradius-server.git Convert more TLS functions to strerror style --- diff --git a/src/lib/eap_aka_sim/crypto.c b/src/lib/eap_aka_sim/crypto.c index 130ec0951be..34e3c71350f 100644 --- a/src/lib/eap_aka_sim/crypto.c +++ b/src/lib/eap_aka_sim/crypto.c @@ -39,7 +39,7 @@ RCSID("$Id$") #include #include #include -#include +#include #include #include #include diff --git a/src/lib/eap_aka_sim/decode.c b/src/lib/eap_aka_sim/decode.c index a9c5b206288..54992e6040d 100644 --- a/src/lib/eap_aka_sim/decode.c +++ b/src/lib/eap_aka_sim/decode.c @@ -29,7 +29,7 @@ RCSID("$Id$") #include #include -#include +#include #include #include diff --git a/src/lib/eap_aka_sim/encode.c b/src/lib/eap_aka_sim/encode.c index f6e73f4a91d..98997aa3c66 100644 --- a/src/lib/eap_aka_sim/encode.c +++ b/src/lib/eap_aka_sim/encode.c @@ -26,7 +26,7 @@ RCSID("$Id$") #include #include #include -#include +#include #include #include #include diff --git a/src/lib/eap_aka_sim/id.c b/src/lib/eap_aka_sim/id.c index 81c00117bfa..10e6ad20830 100644 --- a/src/lib/eap_aka_sim/id.c +++ b/src/lib/eap_aka_sim/id.c @@ -20,7 +20,7 @@ * * @copyright 2017 The FreeRADIUS server project */ -#include +#include #include #include #include diff --git a/src/lib/sim/milenage.c b/src/lib/sim/milenage.c index 744ed13bf74..8397d81dd85 100644 --- a/src/lib/sim/milenage.c +++ b/src/lib/sim/milenage.c @@ -20,7 +20,7 @@ #include #include -#include +#include #include #include #include "common.h" diff --git a/src/lib/tls/all.mk b/src/lib/tls/all.mk index 839347b4a67..0cc957b742e 100644 --- a/src/lib/tls/all.mk +++ b/src/lib/tls/all.mk @@ -15,6 +15,7 @@ SOURCES := \ log.c \ pairs.c \ session.c \ + strerror.c \ utils.c \ verify.c \ version.c \ diff --git a/src/lib/tls/cache.c b/src/lib/tls/cache.c index 78053b952cc..40b477a2bb5 100644 --- a/src/lib/tls/cache.c +++ b/src/lib/tls/cache.c @@ -41,6 +41,7 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include "base.h" #include "cache.h" #include "log.h" +#include "strerror.h" #include "verify.h" #include diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c index fdc76149938..afb44a27418 100644 --- a/src/lib/tls/ctx.c +++ b/src/lib/tls/ctx.c @@ -31,9 +31,11 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #define LOG_PREFIX "tls" #include +#include #include #include #include +#include #include #include "base.h" diff --git a/src/lib/tls/engine.c b/src/lib/tls/engine.c index 6d37007e8d8..6267e530bb6 100644 --- a/src/lib/tls/engine.c +++ b/src/lib/tls/engine.c @@ -32,6 +32,7 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include #include #include +#include #include #include #include diff --git a/src/lib/tls/log.c b/src/lib/tls/log.c index 1bf73e4424a..6f76eb1405c 100644 --- a/src/lib/tls/log.c +++ b/src/lib/tls/log.c @@ -31,21 +31,11 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include #include +#include +#include #include #include "log.h" -#include "utils.h" - -#if OPENSSL_VERSION_NUMBER < 0x30000000L -static inline unsigned long ERR_get_error_all(const char **file, int *line, - const char **func, - const char **data, int *flags) -{ - if (func != NULL) *func = ""; - - return ERR_get_error_line_data(file, line, data, flags); -} -#endif /** Holds the state of a log BIO * @@ -97,57 +87,6 @@ static _Thread_local fr_tls_log_bio_t *request_log_bio; */ static _Thread_local fr_tls_log_bio_t *global_log_bio; -static void _tls_cert_line_push(char const *file, int line, int idx, X509 *cert) -{ - char subject[1024]; - - X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject)); - subject[sizeof(subject) - 1] = '\0'; - - _fr_strerror_printf_push(file, line, "[%i] %s %s", idx, fr_tls_utils_x509_pkey_type(cert), subject); -} - -static void _tls_cert_line_marker_push(char const *file, int line, - int idx, X509 *cert, bool marker) -{ - char subject[1024]; - - X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject)); - subject[sizeof(subject) - 1] = '\0'; - - _fr_strerror_printf_push(file, line, "%s [%i] %s %s", marker ? ">" : " ", - idx, fr_tls_utils_x509_pkey_type(cert), subject); -} - -static void _tls_cert_line_marker_no_idx_push(char const *file, int line, X509 *cert) -{ - char subject[1024]; - - X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject)); - subject[sizeof(subject) - 1] = '\0'; - - _fr_strerror_printf_push(file, line, "%s %s", fr_tls_utils_x509_pkey_type(cert), subject); -} - -DIAG_OFF(DIAG_UNKNOWN_PRAGMAS) -DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */ -/** Print out the current stack of certs to the thread local error buffer - * - * @param[in] file File where this function is being called. - * @param[in] line Line where this function is being called. - * @param[in] chain The certificate chain. - * @param[in] cert The leaf certificate. - */ -void _fr_tls_chain_push(char const *file, int line, STACK_OF(X509) *chain, X509 *cert) -{ - int i; - - for (i = sk_X509_num(chain); i > 0 ; i--) { - _tls_cert_line_push(file, line, i, sk_X509_value(chain, i - 1)); - } - if (cert) _tls_cert_line_push(file, line, i, cert); -} - /** Print out the current stack of certs * * @param[in] file File where this function is being called. @@ -165,7 +104,7 @@ void _fr_tls_chain_log(char const *file, int line, * Dump to the thread local buffer */ fr_strerror_clear(); - _fr_tls_chain_push(file, line, chain, cert); + _fr_tls_strerror_push_chain(file, line, chain, cert); if (request) { log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL); } else { @@ -173,26 +112,6 @@ void _fr_tls_chain_log(char const *file, int line, } } -/** Print out the current stack of certs to the thread local error buffer - * - * @param[in] file File where this function is being called. - * @param[in] line Line where this function is being called. - * @param[in] chain The certificate chain. - * @param[in] cert The leaf certificate. - * @param[in] marker The certificate we want to mark. - */ -void _fr_tls_chain_marker_push(char const *file, int line, - STACK_OF(X509) *chain, X509 *cert, X509 *marker) -{ - int i; - - for (i = sk_X509_num(chain); i > 0 ; i--) { - X509 *selected = sk_X509_value(chain, i - 1); - _tls_cert_line_marker_push(file, line, i, selected, (selected == marker)); - } - if (cert) _tls_cert_line_marker_push(file, line, i, cert, (cert == marker)); -} - /** Print out the current stack of certs * * @param[in] file File where this function is being called. @@ -211,7 +130,7 @@ void _fr_tls_chain_marker_log(char const *file, int line, * Dump to the thread local buffer */ fr_strerror_clear(); - _fr_tls_chain_marker_push(file, line, chain, cert, marker); + _fr_tls_strerror_push_chain_marker(file, line, chain, cert, marker); if (request) { log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL); } else { @@ -219,37 +138,6 @@ void _fr_tls_chain_marker_log(char const *file, int line, } } -/** Print out the current stack of X509 objects (certificates only) - * - * @param[in] file File where this function is being called. - * @param[in] line Line where this function is being called. - * @param[in] objects A stack of X509 objects - */ -void _fr_tls_x509_objects_push(char const *file, int line, - STACK_OF(X509_OBJECT) *objects) -{ - int i; - - for (i = sk_X509_OBJECT_num(objects); i > 0 ; i--) { - X509_OBJECT *obj = sk_X509_OBJECT_value(objects, i - 1); - - switch (X509_OBJECT_get_type(obj)) { - case X509_LU_X509: /* X509 certificate */ - /* - * Dump to the thread local buffer - */ - _tls_cert_line_marker_no_idx_push(file, line, X509_OBJECT_get0_X509(obj)); - break; - - case X509_LU_CRL: /* Certificate revocation list */ - continue; - - default: - continue; - } - } -} - /** Print out the current stack of X509 objects (certificates only) * * @param[in] file File where this function is being called. @@ -264,7 +152,7 @@ void _fr_tls_x509_objects_log(char const *file, int line, { fr_strerror_clear(); - _fr_tls_x509_objects_push(file, line, objects); + _fr_tls_strerror_push_x509_objects(file, line, objects); if (request) { log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL); } else { @@ -272,77 +160,6 @@ void _fr_tls_x509_objects_log(char const *file, int line, } } -DIAG_OFF(format-nonliteral) -/** Print errors in the TLS thread local error stack - * - * Drains the thread local OpenSSL error queue, and prints out the first error - * storing it in libfreeradius's error buffer. - * - * @param[in] msg Error message describing the operation being attempted. - * @param[in] ap Arguments for msg. - * @return the number of errors drained from the stack. - */ -static int tls_strerror_vasprintf(char const *msg, va_list ap) -{ - unsigned long error; - char *p = NULL; - int drained = 0; - char buffer[256]; - - int line; - char const *file; - char const *func; - char const *data; - int flags = 0; - - /* - * Pop the first error, so ERR_peek_error() - * can be used to determine if there are - * multiple errors. - */ - error = ERR_get_error_all(&file, &line, &func, &data, &flags); - if (!(flags & ERR_TXT_STRING)) data = NULL; - - if (msg) { - /* - * Print the error we were passed, and - * OpenSSL's error. - */ - p = talloc_vasprintf(NULL, msg, ap); - if (error) { - ERR_error_string_n(error, buffer, sizeof(buffer)); - _fr_strerror_printf(file, line, "%s: %s%c%s", p, buffer, data ? ':' : '\0', data ? data : ""); - talloc_free(p); - drained++; - /* - * Print the error we were given, irrespective - * of whether there were any OpenSSL errors. - */ - } else { - fr_strerror_printf("%s", p); - talloc_free(p); - } - } else if (error) { - ERR_error_string_n(error, buffer, sizeof(buffer)); - _fr_strerror_printf(file, line, "%s%c%s", buffer, data ? ':' : '\0', data ? data : ""); - drained++; - } else { - return 0; - } - - while ((error = ERR_get_error_all(&file, &line, &func, &data, &flags))) { - if (!(flags & ERR_TXT_STRING)) data = NULL; - - ERR_error_string_n(error, buffer, sizeof(buffer)); - - _fr_strerror_printf_push(file, line, "%s%c%s", buffer, data ? ':' : '\0', data ? data : ""); - drained++; - } - - return drained; -} -DIAG_ON(format-nonliteral) - /** Print errors raised by OpenSSL I/O functions * * Drains the thread local OpenSSL error queue, and prints out errors @@ -436,7 +253,7 @@ int fr_tls_log_io_error(request_t *request, int err, char const *fmt, ...) */ case SSL_ERROR_SSL: va_start(ap, fmt); - (void)tls_strerror_vasprintf(fmt, ap); + (void)fr_tls_strerror_vprintf(fmt, ap); va_end(ap); ROPTIONAL(RPERROR, PERROR, ""); @@ -464,25 +281,6 @@ int fr_tls_log_io_error(request_t *request, int err, char const *fmt, ...) return 0; } -/** Wrapper around fr_strerror_printf to log error messages for library functions calling libssl - * - * @note Will only drain the first error. - * - * @param[in] msg Error message describing the operation being attempted. - * @param[in] ... Arguments for msg. - * @return the number of errors drained from the stack. - */ -int fr_tls_strerror_printf(char const *msg, ...) -{ - va_list ap; - int ret; - - va_start(ap, msg); - ret = tls_strerror_vasprintf(msg, ap); - va_end(ap); - - return ret; -} /** Print errors in the TLS thread local error stack * @@ -499,7 +297,7 @@ int fr_tls_log(request_t *request, char const *msg, ...) int ret; va_start(ap, msg); - ret = tls_strerror_vasprintf(msg, ap); + ret = fr_tls_strerror_vprintf(msg, ap); va_end(ap); ROPTIONAL(RPERROR, PERROR, ""); diff --git a/src/lib/tls/log.h b/src/lib/tls/log.h index 92c04e43e3c..282b4e7742e 100644 --- a/src/lib/tls/log.h +++ b/src/lib/tls/log.h @@ -36,16 +36,6 @@ RCSIDH(tls_log_h, "$Id$") #include "base.h" -/** Push a representation of a certificate chain onto the thread local error stack - * - * @param[in] _chain A stack of X509 certificates representing the chain. - * @param[in] _leaf The leaf certificate. May be NULL. - * @param[in] _marker The certificate to emit a marker for. - */ -#define fr_tls_chain_push(_chain, _leaf) \ - _fr_tls_chain_push( __FILE__, __LINE__, _chain, _leaf) -void _fr_tls_chain_push(char const *file, int line, STACK_OF(X509) *chain, X509 *cert); - /** Write out a certificate chain to the request or global log * * @param[in] _request The current request or NULL if you want to write to the global log. @@ -58,17 +48,6 @@ void _fr_tls_chain_push(char const *file, int line, STACK_OF(X509) *chain, X509 void _fr_tls_chain_log(char const *file, int line, request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf); -/** Push a representation of a certificate chain with a marker onto the thread local error stack - * - * @param[in] _chain A stack of X509 certificates representing the chain. - * @param[in] _leaf The leaf certificate. May be NULL. - * @param[in] _marker The certificate to emit a marker for. - */ -#define fr_tls_chain_marker_push(_chain, _leaf, _marker) \ - _fr_tls_chain_push( __FILE__, __LINE__, _chain, _leaf, _marker) -void _fr_tls_chain_marker_push(char const *file, int line, - STACK_OF(X509) *chain, X509 *cert, X509 *marker); - /** Write out a certificate chain with a marker to the request or global log * * @param[in] _request The current request or NULL if you want to write to the global log. @@ -83,15 +62,6 @@ void _fr_tls_chain_marker_log(char const *file, int line, request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf, X509 *marker); -/** Push a collection of X509 objects into the thread local error stack - * - * @param[in] _objects to push onto the thread local error stack - */ -#define fr_tls_x509_objects_push(_objects) \ - _fr_tls_x509_objects_push( __FILE__, __LINE__, _objects) -void _fr_tls_x509_objects_push(char const *file, int line, - STACK_OF(X509_OBJECT) *objects); - /** Write out a collection of X509 objects to the request or global log * * @param[in] _request The current request or NULL if you want to write to the global log. @@ -107,8 +77,6 @@ void _fr_tls_x509_objects_log(char const *file, int line, int fr_tls_log_io_error(request_t *request, int err, char const *msg, ...) CC_HINT(format (printf, 3, 4)); -int fr_tls_strerror_printf(char const *msg, ...) CC_HINT(format (printf, 1, 2)); - int fr_tls_log(request_t *request, char const *msg, ...) CC_HINT(format (printf, 2, 3)); void fr_tls_log_clear(void); diff --git a/src/modules/rlm_cipher/rlm_cipher.c b/src/modules/rlm_cipher/rlm_cipher.c index 9dda19cf7ce..5b5b25f9794 100644 --- a/src/modules/rlm_cipher/rlm_cipher.c +++ b/src/modules/rlm_cipher/rlm_cipher.c @@ -30,8 +30,9 @@ RCSID("$Id$") #include #include #include -#include #include +#include +#include #include #include diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index 3dc81f6bf11..17a9f309db0 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@ -27,6 +27,7 @@ RCSID("$Id$") #include #include +#include #include "eap_ttls.h" #define FR_DIAMETER_AVP_FLAG_VENDOR 0x80 diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index 94476acc130..5ed1d064d33 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -31,7 +31,7 @@ RCSID("$Id$") #include #include #include -#include +#include #include #include