From: Arran Cudbard-Bell Date: Tue, 4 Oct 2022 05:12:19 +0000 (-0400) Subject: Add "strerror" variants of more logging functions X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d123dc552d578799da5230be6616d79db280a5d7;p=thirdparty%2Ffreeradius-server.git Add "strerror" variants of more logging functions This means the TLS library functions can integrate better with the different logging facilities, allowing us to print chain errors in the context of a conf item (for example) --- diff --git a/src/lib/eap/crypto.c b/src/lib/eap/crypto.c index bf2dffabad0..e39b4d2dd51 100644 --- a/src/lib/eap/crypto.c +++ b/src/lib/eap/crypto.c @@ -95,7 +95,7 @@ int eap_crypto_mppe_keys(request_t *request, SSL *ssl, eap_tls_prf_label_t *prf_ prf_label->context, prf_label->context_len, prf_label->use_context) != 1) { - fr_tls_log_error(request, "Failed generating MPPE keys"); + fr_tls_log(request, "Failed generating MPPE keys"); return -1; } @@ -175,7 +175,7 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx, prf_label->context, prf_label->context_len, prf_label->use_context) != 1) { - fr_tls_log_error(request, "Failed generating TLS session ID"); + fr_tls_log(request, "Failed generating TLS session ID"); return -1; } } diff --git a/src/lib/eap_aka_sim/crypto.c b/src/lib/eap_aka_sim/crypto.c index b3fbfd2a3bf..130ec0951be 100644 --- a/src/lib/eap_aka_sim/crypto.c +++ b/src/lib/eap_aka_sim/crypto.c @@ -121,13 +121,13 @@ int fr_aka_sim_crypto_init_checkcode(TALLOC_CTX *ctx, fr_aka_sim_checkcode_t **c (*checkcode)->md_ctx = EVP_MD_CTX_create(); if (!(*checkcode)->md_ctx) { - fr_tls_log_strerror_printf("Failed creating MD ctx"); + fr_tls_strerror_printf("Failed creating MD ctx"); error: TALLOC_FREE(*checkcode); return -1; } if (EVP_DigestInit_ex((*checkcode)->md_ctx, md, NULL) != 1) { - fr_tls_log_strerror_printf("Failed intialising MD ctx"); + fr_tls_strerror_printf("Failed intialising MD ctx"); goto error; } @@ -166,7 +166,7 @@ int fr_aka_sim_crypto_update_checkcode(fr_aka_sim_checkcode_t *checkcode, eap_pa * Digest the header */ if (EVP_DigestUpdate(checkcode->md_ctx, &eap_hdr, sizeof(eap_hdr)) != 1) { - fr_tls_log_strerror_printf("Failed digesting EAP header"); + fr_tls_strerror_printf("Failed digesting EAP header"); return -1; } @@ -176,7 +176,7 @@ int fr_aka_sim_crypto_update_checkcode(fr_aka_sim_checkcode_t *checkcode, eap_pa * Digest the packet */ if (EVP_DigestUpdate(checkcode->md_ctx, eap_packet->type.data, eap_packet->type.length) != 1) { - fr_tls_log_strerror_printf("Failed digesting packet data"); + fr_tls_strerror_printf("Failed digesting packet data"); return -1; } @@ -201,7 +201,7 @@ ssize_t fr_aka_sim_crypto_finalise_checkcode(TALLOC_CTX *ctx, uint8_t **out, fr_ len = (size_t)EVP_MD_CTX_size((*checkcode).md_ctx); MEM(buff = talloc_array(ctx, uint8_t, len)); if (EVP_DigestFinal_ex((*checkcode).md_ctx, buff, NULL) != 1) { - fr_tls_log_strerror_printf("Failed finalising checkcode digest"); + fr_tls_strerror_printf("Failed finalising checkcode digest"); return -1; } *out = buff; @@ -315,7 +315,7 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE FR_PROTO_HEX_DUMP(key, key_len, "MAC key"); pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len); if (!pkey) { - fr_tls_log_strerror_printf("Failed creating HMAC signing key"); + fr_tls_strerror_printf("Failed creating HMAC signing key"); error: if (pkey) EVP_PKEY_free(pkey); if (md_ctx) EVP_MD_CTX_destroy(md_ctx); @@ -324,12 +324,12 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE md_ctx = EVP_MD_CTX_create(); if (!md_ctx) { - fr_tls_log_strerror_printf("Failed creating HMAC ctx"); + fr_tls_strerror_printf("Failed creating HMAC ctx"); goto error; } if (EVP_DigestSignInit(md_ctx, NULL, md, NULL, pkey) != 1) { - fr_tls_log_strerror_printf("Failed initialising digest"); + fr_tls_strerror_printf("Failed initialising digest"); goto error; } @@ -346,7 +346,7 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE FR_PROTO_HEX_DUMP((uint8_t *)&eap_hdr, sizeof(eap_hdr), "MAC digest input (eap header)"); if (EVP_DigestSignUpdate(md_ctx, &eap_hdr, sizeof(eap_hdr)) != 1) { - fr_tls_log_strerror_printf("Failed digesting EAP data"); + fr_tls_strerror_printf("Failed digesting EAP data"); goto error; } @@ -369,7 +369,7 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE * AT_MAC header and reserved bytes. */ if (EVP_DigestSignUpdate(md_ctx, p, mac - p) != 1) { - fr_tls_log_strerror_printf("Failed digesting packet data (before MAC)"); + fr_tls_strerror_printf("Failed digesting packet data (before MAC)"); goto error; } p += mac - p; @@ -381,7 +381,7 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE * simulated the zeroed out Mac. */ if (EVP_DigestSignUpdate(md_ctx, zero, sizeof(zero)) != 1) { - fr_tls_log_strerror_printf("Failed digesting zeroed MAC"); + fr_tls_strerror_printf("Failed digesting zeroed MAC"); goto error; } p += sizeof(zero); @@ -404,7 +404,7 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE * Digest the rest of the packet. */ if (EVP_DigestSignUpdate(md_ctx, p, end - p) != 1) { - fr_tls_log_strerror_printf("Failed digesting packet data"); + fr_tls_strerror_printf("Failed digesting packet data"); goto error; } } @@ -418,13 +418,13 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE if (hmac_extra) { FR_PROTO_HEX_DUMP(hmac_extra, hmac_extra_len, "MAC digest input (extra)"); if (EVP_DigestSignUpdate(md_ctx, hmac_extra, hmac_extra_len) != 1) { - fr_tls_log_strerror_printf("Failed digesting HMAC extra data"); + fr_tls_strerror_printf("Failed digesting HMAC extra data"); goto error; } } if (EVP_DigestSignFinal(md_ctx, digest, &digest_len) != 1) { - fr_tls_log_strerror_printf("Failed finalising digest"); + fr_tls_strerror_printf("Failed finalising digest"); goto error; } @@ -712,7 +712,7 @@ static int ck_ik_prime_derive(fr_aka_sim_keys_t *keys) pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, k, sizeof(k)); if (!pkey) { - fr_tls_log_strerror_printf("Failed creating HMAC signing key"); + fr_tls_strerror_printf("Failed creating HMAC signing key"); error: if (pkey) EVP_PKEY_free(pkey); if (md_ctx) EVP_MD_CTX_destroy(md_ctx); @@ -721,12 +721,12 @@ static int ck_ik_prime_derive(fr_aka_sim_keys_t *keys) md_ctx = EVP_MD_CTX_create(); if (!md_ctx) { - fr_tls_log_strerror_printf("Failed creating HMAC ctx"); + fr_tls_strerror_printf("Failed creating HMAC ctx"); goto error; } if (EVP_DigestSignInit(md_ctx, NULL, EVP_sha256(), NULL, pkey) != 1) { - fr_tls_log_strerror_printf("Failed initialising digest"); + fr_tls_strerror_printf("Failed initialising digest"); goto error; } @@ -781,7 +781,7 @@ static int aka_prime_prf(uint8_t *out, size_t outlen, pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len); if (!pkey) { - fr_tls_log_strerror_printf("Failed creating HMAC signing key"); + fr_tls_strerror_printf("Failed creating HMAC signing key"); error: if (pkey) EVP_PKEY_free(pkey); if (md_ctx) EVP_MD_CTX_destroy(md_ctx); @@ -790,12 +790,12 @@ static int aka_prime_prf(uint8_t *out, size_t outlen, md_ctx = EVP_MD_CTX_create(); if (!md_ctx) { - fr_tls_log_strerror_printf("Failed creating HMAC ctx"); + fr_tls_strerror_printf("Failed creating HMAC ctx"); goto error; } if (EVP_DigestSignInit(md_ctx, NULL, EVP_sha256(), NULL, pkey) != 1) { - fr_tls_log_strerror_printf("Failed initialising digest"); + fr_tls_strerror_printf("Failed initialising digest"); goto error; } @@ -1078,24 +1078,24 @@ int fr_aka_sim_crypto_kdf_0_reauth(fr_aka_sim_keys_t *keys) */ md_ctx = EVP_MD_CTX_create(); if (!md_ctx) { - fr_tls_log_strerror_printf("Failed creating MD ctx"); + fr_tls_strerror_printf("Failed creating MD ctx"); error: EVP_MD_CTX_destroy(md_ctx); return -1; } if (EVP_DigestInit_ex(md_ctx, EVP_sha1(), NULL) != 1) { - fr_tls_log_strerror_printf("Failed initialising digest"); + fr_tls_strerror_printf("Failed initialising digest"); goto error; } if (EVP_DigestUpdate(md_ctx, buf, p - buf) != 1) { - fr_tls_log_strerror_printf("Failed digesting crypto data"); + fr_tls_strerror_printf("Failed digesting crypto data"); goto error; } if (EVP_DigestFinal_ex(md_ctx, keys->reauth.xkey_prime, &len) != 1) { - fr_tls_log_strerror_printf("Failed finalising digest"); + fr_tls_strerror_printf("Failed finalising digest"); goto error; } diff --git a/src/lib/eap_aka_sim/decode.c b/src/lib/eap_aka_sim/decode.c index ee29bad4794..a9c5b206288 100644 --- a/src/lib/eap_aka_sim/decode.c +++ b/src/lib/eap_aka_sim/decode.c @@ -180,7 +180,7 @@ static ssize_t sim_value_decrypt(TALLOC_CTX *ctx, uint8_t **out, evp_ctx = aka_sim_crypto_cipher_ctx(); if (!EVP_DecryptInit_ex(evp_ctx, evp_cipher, NULL, packet_ctx->k_encr, packet_ctx->iv)) { - fr_tls_log_strerror_printf("%s: Failed setting decryption parameters", __FUNCTION__); + fr_tls_strerror_printf("%s: Failed setting decryption parameters", __FUNCTION__); error: talloc_free(decr); return -1; @@ -199,13 +199,13 @@ static ssize_t sim_value_decrypt(TALLOC_CTX *ctx, uint8_t **out, */ EVP_CIPHER_CTX_set_padding(evp_ctx, 0); if (!EVP_DecryptUpdate(evp_ctx, decr, (int *)&len, data, attr_len)) { - fr_tls_log_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__); + fr_tls_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__); goto error; } decr_len = len; if (!EVP_DecryptFinal_ex(evp_ctx, decr + decr_len, (int *)&len)) { - fr_tls_log_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__); + fr_tls_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__); goto error; } decr_len += len; diff --git a/src/lib/eap_aka_sim/encode.c b/src/lib/eap_aka_sim/encode.c index d510bbba692..f6e73f4a91d 100644 --- a/src/lib/eap_aka_sim/encode.c +++ b/src/lib/eap_aka_sim/encode.c @@ -201,7 +201,7 @@ static ssize_t encode_encrypted_value(fr_dbuff_t *dbuff, evp_ctx = aka_sim_crypto_cipher_ctx(); if (unlikely(EVP_EncryptInit_ex(evp_ctx, evp_cipher, NULL, packet_ctx->k_encr, packet_ctx->iv) != 1)) { - fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context"); + fr_tls_strerror_printf("Failed initialising AES-128-ECB context"); error: talloc_free(encr); return PAIR_ENCODE_FATAL_ERROR; @@ -226,13 +226,13 @@ static ssize_t encode_encrypted_value(fr_dbuff_t *dbuff, */ EVP_CIPHER_CTX_set_padding(evp_ctx, 0); if (unlikely(EVP_EncryptUpdate(evp_ctx, encr, (int *)&len, fr_dbuff_start(&work_dbuff), total_len) != 1)) { - fr_tls_log_strerror_printf("%s: Failed encrypting attribute", __FUNCTION__); + fr_tls_strerror_printf("%s: Failed encrypting attribute", __FUNCTION__); goto error; } encr_len = len; if (unlikely(EVP_EncryptFinal_ex(evp_ctx, encr + encr_len, (int *)&len) != 1)) { - fr_tls_log_strerror_printf("%s: Failed finalising encrypted attribute", __FUNCTION__); + fr_tls_strerror_printf("%s: Failed finalising encrypted attribute", __FUNCTION__); goto error; } encr_len += len; diff --git a/src/lib/eap_aka_sim/id.c b/src/lib/eap_aka_sim/id.c index 3e4cf32598e..81c00117bfa 100644 --- a/src/lib/eap_aka_sim/id.c +++ b/src/lib/eap_aka_sim/id.c @@ -470,7 +470,7 @@ int fr_aka_sim_id_3gpp_pseudonym_encrypt(char out[AKA_SIM_3GPP_PSEUDONYM_LEN + 1 */ evp_ctx = aka_sim_crypto_cipher_ctx(); if (unlikely(EVP_EncryptInit_ex(evp_ctx, EVP_aes_128_ecb(), NULL, key, NULL) != 1)) { - fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context"); + fr_tls_strerror_printf("Failed initialising AES-128-ECB context"); error: return -1; } @@ -487,13 +487,13 @@ int fr_aka_sim_id_3gpp_pseudonym_encrypt(char out[AKA_SIM_3GPP_PSEUDONYM_LEN + 1 */ EVP_CIPHER_CTX_set_padding(evp_ctx, 0); if (unlikely(EVP_EncryptUpdate(evp_ctx, encr, (int *)&len, padded, sizeof(padded)) != 1)) { - fr_tls_log_strerror_printf("Failed encrypting padded IMSI"); + fr_tls_strerror_printf("Failed encrypting padded IMSI"); goto error; } encr_len = len; if (unlikely(EVP_EncryptFinal_ex(evp_ctx, encr + len, (int *)&len) != 1)) { - fr_tls_log_strerror_printf("Failed finalising encrypted IMSI"); + fr_tls_strerror_printf("Failed finalising encrypted IMSI"); goto error; } encr_len += len; @@ -613,7 +613,7 @@ int fr_aka_sim_id_3gpp_pseudonym_decrypt(char out[AKA_SIM_IMSI_MAX_LEN + 1], evp_ctx = aka_sim_crypto_cipher_ctx(); if (unlikely(EVP_DecryptInit_ex(evp_ctx, EVP_aes_128_ecb(), NULL, key, NULL) != 1)) { - fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context"); + fr_tls_strerror_printf("Failed initialising AES-128-ECB context"); error: return -1; } @@ -629,13 +629,13 @@ int fr_aka_sim_id_3gpp_pseudonym_decrypt(char out[AKA_SIM_IMSI_MAX_LEN + 1], */ EVP_CIPHER_CTX_set_padding(evp_ctx, 0); if (unlikely(EVP_DecryptUpdate(evp_ctx, decr, (int *)&len, dec, sizeof(dec)) != 1)) { - fr_tls_log_strerror_printf("Failed decypting IMSI"); + fr_tls_strerror_printf("Failed decypting IMSI"); goto error; } decr_len = len; if (unlikely(EVP_DecryptFinal_ex(evp_ctx, decr + len, (int *)&len) != 1)) { - fr_tls_log_strerror_printf("Failed finalising decypted IMSI"); + fr_tls_strerror_printf("Failed finalising decypted IMSI"); goto error; } decr_len += len; diff --git a/src/lib/sim/milenage.c b/src/lib/sim/milenage.c index fc0479f5d1a..744ed13bf74 100644 --- a/src/lib/sim/milenage.c +++ b/src/lib/sim/milenage.c @@ -35,7 +35,7 @@ static inline int aes_128_encrypt_block(EVP_CIPHER_CTX *evp_ctx, size_t len = 0; if (unlikely(EVP_EncryptInit_ex(evp_ctx, EVP_aes_128_ecb(), NULL, key, NULL) != 1)) { - fr_tls_log_strerror_printf("Failed initialising AES-128-ECB context"); + fr_tls_strerror_printf("Failed initialising AES-128-ECB context"); return -1; } @@ -52,7 +52,7 @@ static inline int aes_128_encrypt_block(EVP_CIPHER_CTX *evp_ctx, EVP_CIPHER_CTX_set_padding(evp_ctx, 0); if (unlikely(EVP_EncryptUpdate(evp_ctx, out, (int *)&len, in, 16) != 1) || unlikely(EVP_EncryptFinal_ex(evp_ctx, out + len, (int *)&len) != 1)) { - fr_tls_log_strerror_printf("Failed encrypting data"); + fr_tls_strerror_printf("Failed encrypting data"); return -1; } @@ -91,7 +91,7 @@ static int milenage_f1(uint8_t mac_a[MILENAGE_MAC_A_SIZE], evp_ctx = EVP_CIPHER_CTX_new(); if (!evp_ctx) { - fr_tls_log_strerror_printf("Failed allocating EVP context"); + fr_tls_strerror_printf("Failed allocating EVP context"); return -1; } @@ -166,7 +166,7 @@ static int milenage_f2345(uint8_t res[MILENAGE_RES_SIZE], evp_ctx = EVP_CIPHER_CTX_new(); if (!evp_ctx) { - fr_tls_log_strerror_printf("Failed allocating EVP context"); + fr_tls_strerror_printf("Failed allocating EVP context"); return -1; } @@ -251,7 +251,7 @@ int milenage_opc_generate(uint8_t opc[MILENAGE_OPC_SIZE], evp_ctx = EVP_CIPHER_CTX_new(); if (!evp_ctx) { - fr_tls_log_strerror_printf("Failed allocating EVP context"); + fr_tls_strerror_printf("Failed allocating EVP context"); return -1; } ret = aes_128_encrypt_block(evp_ctx, ki, op, tmp); diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c index 074b251c427..0ee6583bcf1 100644 --- a/src/lib/tls/base.c +++ b/src/lib/tls/base.c @@ -312,7 +312,7 @@ int fr_openssl_thread_init(size_t async_pool_size_init, size_t async_pool_size_m bool *init = talloc_zero(NULL, bool); if (ASYNC_init_thread(async_pool_size_max, async_pool_size_init) != 1) { - fr_tls_log_error(NULL, "Failed initialising OpenSSL async context pool"); + fr_tls_log(NULL, "Failed initialising OpenSSL async context pool"); return -1; } @@ -344,12 +344,12 @@ void fr_openssl_free(void) static void _openssl_provider_free(void) { if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) { - fr_tls_log_error(NULL, "Failed unloading default provider"); + fr_tls_log(NULL, "Failed unloading default provider"); } openssl_default_provider = NULL; if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) { - fr_tls_log_error(NULL, "Failed unloading legacy provider"); + fr_tls_log(NULL, "Failed unloading legacy provider"); } openssl_legacy_provider = NULL; } @@ -385,7 +385,7 @@ int fr_openssl_init(void) * by OpenSSL. */ if (CRYPTO_set_mem_functions(fr_openssl_talloc, fr_openssl_talloc_realloc, fr_openssl_talloc_free) != 1) { - fr_tls_log_error(NULL, "Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late"); + fr_tls_log(NULL, "Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late"); return -1; } @@ -398,7 +398,7 @@ int fr_openssl_init(void) * the contexts have been cleaned up. */ if (OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT | OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) { - fr_tls_log_error(NULL, "Failed calling OPENSSL_init_crypto()"); + fr_tls_log(NULL, "Failed calling OPENSSL_init_crypto()"); return -1; } @@ -408,7 +408,7 @@ int fr_openssl_init(void) */ openssl_default_provider = OSSL_PROVIDER_load(NULL, "default"); if (!openssl_default_provider) { - fr_tls_log_error(NULL, "Failed loading default provider"); + fr_tls_log(NULL, "Failed loading default provider"); return -1; } @@ -419,7 +419,7 @@ int fr_openssl_init(void) */ openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy"); if (!openssl_legacy_provider) { - fr_tls_log_error(NULL, "Failed loading legacy provider"); + fr_tls_log(NULL, "Failed loading legacy provider"); return -1; } #endif @@ -482,12 +482,12 @@ int fr_openssl_fips_mode(bool enabled) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) { - fr_tls_log_error(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling"); + fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling"); return -1; } #else if (!FIPS_mode_set(enabled ? 1 : 0)) { - fr_tls_log_error(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling"); + fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling"); return -1; } #endif diff --git a/src/lib/tls/cache.c b/src/lib/tls/cache.c index 50f7aac9b5b..78053b952cc 100644 --- a/src/lib/tls/cache.c +++ b/src/lib/tls/cache.c @@ -215,7 +215,7 @@ static int tls_cache_app_data_set(request_t *request, SSL_SESSION *sess) if (ret != 1) { SESSION_ID(sess_id, sess); - fr_tls_log_error(request, "Session ID %pV - Failed setting application data", &sess_id); + fr_tls_log(request, "Session ID %pV - Failed setting application data", &sess_id); return -1; } @@ -235,7 +235,7 @@ static int tls_cache_app_data_get(request_t *request, SSL_SESSION *sess) if (SSL_SESSION_get0_ticket_appdata(sess, (void **)&data, &data_len) != 1) { SESSION_ID(sess_id, sess); - fr_tls_log_error(request, "Session ID %pV - Failed retrieving application data", &sess_id); + fr_tls_log(request, "Session ID %pV - Failed retrieving application data", &sess_id); return -1; } @@ -367,7 +367,7 @@ static unlang_action_t tls_cache_load_result(UNUSED rlm_rcode_t *p_result, UNUSE sess = d2i_SSL_SESSION(NULL, p, vp->vp_length); if (!sess) { - fr_tls_log_error(request, "Failed loading persisted session"); + fr_tls_log(request, "Failed loading persisted session"); goto error; } @@ -543,7 +543,7 @@ unlang_action_t tls_cache_store_push(request_t *request, fr_tls_conf_t *conf, fr fr_tls_cache_id_to_box_shallow(&id, sess); /* something went wrong */ - fr_tls_log_strerror_printf(NULL); /* Drain the OpenSSL error stack */ + fr_tls_strerror_printf(NULL); /* Drain the OpenSSL error stack */ RPWDEBUG("Session ID %pV - Serialisation failed, couldn't determine " "required buffer length", &id); error: @@ -562,7 +562,7 @@ unlang_action_t tls_cache_store_push(request_t *request, fr_tls_conf_t *conf, fr fr_value_box_t id; fr_tls_cache_id_to_box_shallow(&id, sess); - fr_tls_log_strerror_printf(NULL); /* Drain the OpenSSL error stack */ + fr_tls_strerror_printf(NULL); /* Drain the OpenSSL error stack */ RPWDEBUG("Session ID %pV - Serialisation failed", &id); talloc_free(data); goto error; @@ -1421,33 +1421,33 @@ int fr_tls_cache_ctx_init(SSL_CTX *ctx, fr_tls_cache_conf_t const *cache_conf) key_len = SSL_CTX_set_tlsext_ticket_keys(ctx, NULL, 0); if (unlikely((pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed initialising KDF"); kdf_error: if (pkey_ctx) EVP_PKEY_CTX_free(pkey_ctx); return -1; } if (unlikely(EVP_PKEY_derive_init(pkey_ctx) != 1)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed initialising KDF derivation ctx"); goto kdf_error; } if (unlikely(EVP_PKEY_CTX_set_hkdf_md(pkey_ctx, UNCONST(struct evp_md_st *, EVP_sha256())) != 1)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed setting KDF MD"); goto kdf_error; } if (unlikely(EVP_PKEY_CTX_set1_hkdf_key(pkey_ctx, UNCONST(unsigned char *, cache_conf->session_ticket_key), talloc_array_length(cache_conf->session_ticket_key)) != 1)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed setting KDF key"); goto kdf_error; } if (unlikely(EVP_PKEY_CTX_add1_hkdf_info(pkey_ctx, UNCONST(unsigned char *, "freeradius-session-ticket"), sizeof("freeradius-session-ticket") - 1) != 1)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed setting KDF label"); goto kdf_error; } @@ -1458,7 +1458,7 @@ int fr_tls_cache_ctx_init(SSL_CTX *ctx, fr_tls_cache_conf_t const *cache_conf) */ MEM(key_buff = talloc_array(NULL, uint8_t, key_len)); if (EVP_PKEY_derive(pkey_ctx, key_buff, &key_len) != 1) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed deriving session ticket key"); talloc_free(key_buff); @@ -1472,7 +1472,7 @@ int fr_tls_cache_ctx_init(SSL_CTX *ctx, fr_tls_cache_conf_t const *cache_conf) */ if (SSL_CTX_set_tlsext_ticket_keys(ctx, key_buff, key_len) != 1) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed setting session ticket keys"); return -1; } @@ -1489,7 +1489,7 @@ int fr_tls_cache_ctx_init(SSL_CTX *ctx, fr_tls_cache_conf_t const *cache_conf) tls_cache_session_ticket_app_data_set, tls_cache_session_ticket_app_data_get, UNCONST(fr_tls_cache_conf_t *, cache_conf)) != 1)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed setting session ticket callbacks"); return -1; } diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c index 4a60f5b0d63..b5f1d2a0a8e 100644 --- a/src/lib/tls/conf.c +++ b/src/lib/tls/conf.c @@ -318,7 +318,7 @@ static X509_STORE *conf_ocsp_revocation_store(fr_tls_conf_t *conf) /* Load the CAs we trust */ if (conf->ca_file || conf->ca_path) if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) { - fr_tls_log_error(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file); + fr_tls_log(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file); X509_STORE_free(store); return NULL; } diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c index 13eea42e88f..fdc76149938 100644 --- a/src/lib/tls/ctx.c +++ b/src/lib/tls/ctx.c @@ -155,13 +155,13 @@ static int tls_ctx_verify_chain_member(fr_unix_time_t *expires_first, X509 **sel } if (!SSL_CTX_get0_chain_certs(ctx, &chain)) { - fr_tls_log_error(NULL, "Failed retrieving chain certificates"); + fr_tls_log(NULL, "Failed retrieving chain certificates"); return -1; } switch (fr_tls_cert_is_valid(NULL, ¬_after, to_verify)) { case -1: - fr_tls_log_certificate_chain_marker(NULL, L_ERR, chain, leaf, to_verify); + fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify); PERROR("Malformed certificate"); return -1; @@ -169,12 +169,12 @@ static int tls_ctx_verify_chain_member(fr_unix_time_t *expires_first, X509 **sel case -3: switch (verify_mode) { case FR_TLS_CHAIN_VERIFY_SOFT: - fr_tls_log_certificate_chain_marker(NULL, L_WARN, chain, leaf, to_verify); + fr_tls_chain_marker_log(NULL, L_WARN, chain, leaf, to_verify); PWARN("Certificate validation failed"); break; case FR_TLS_CHAIN_VERIFY_HARD: - fr_tls_log_certificate_chain_marker(NULL, L_ERR, chain, leaf, to_verify); + fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify); PERROR("Certificate validation failed"); return -1; @@ -212,22 +212,22 @@ static int tls_ctx_verify_chain_member(fr_unix_time_t *expires_first, X509 **sel case FR_TLS_CHAIN_VERIFY_SOFT: WARN("Found multiple self-signed certificates in chain"); WARN("First certificate was:"); - fr_tls_log_certificate_chain_marker(NULL, L_WARN, + fr_tls_chain_marker_log(NULL, L_WARN, chain, leaf, *self_signed); WARN("Second certificate was:"); - fr_tls_log_certificate_chain_marker(NULL, L_WARN, + fr_tls_chain_marker_log(NULL, L_WARN, chain, leaf, to_verify); break; case FR_TLS_CHAIN_VERIFY_HARD: ERROR("Found multiple self-signed certificates in chain"); ERROR("First certificate was:"); - fr_tls_log_certificate_chain_marker(NULL, L_ERR, + fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, *self_signed); ERROR("Second certificate was:"); - fr_tls_log_certificate_chain_marker(NULL, L_ERR, + fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify); return -1; @@ -278,7 +278,7 @@ static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, boo switch (chain->file_format) { case SSL_FILETYPE_PEM: if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) { - fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"", + fr_tls_log(NULL, "Failed reading certificate file \"%s\"", chain->certificate_file); return -1; } @@ -286,7 +286,7 @@ static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, boo case SSL_FILETYPE_ASN1: if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) { - fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"", + fr_tls_log(NULL, "Failed reading certificate file \"%s\"", chain->certificate_file); return -1; } @@ -298,7 +298,7 @@ static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, boo } if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) { - fr_tls_log_error(NULL, "Failed reading private key file \"%s\"", + fr_tls_log(NULL, "Failed reading private key file \"%s\"", chain->private_key_file); return -1; } @@ -343,7 +343,7 @@ static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, boo fclose(fp); if (!cert) { - fr_tls_log_error(NULL, "Failed reading certificate file \"%s\"", filename); + fr_tls_log(NULL, "Failed reading certificate file \"%s\"", filename); return -1; } SSL_CTX_add0_chain_cert(ctx, cert); @@ -381,7 +381,7 @@ static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, boo chain->verify_mode) < 0) return -1; if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) { - fr_tls_log_error(NULL, "Failed retrieving chain certificates"); + fr_tls_log(NULL, "Failed retrieving chain certificates"); return -1; } @@ -435,14 +435,14 @@ DIAG_ON(DIAG_UNKNOWN_PRAGMAS) */ case FR_TLS_CHAIN_VERIFY_SOFT: if (!SSL_CTX_build_cert_chain(ctx, mode)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PWARN("Failed verifying chain"); } break; case FR_TLS_CHAIN_VERIFY_HARD: if (!SSL_CTX_build_cert_chain(ctx, mode)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("Failed verifying chain"); return -1; } @@ -515,7 +515,7 @@ int tls_ctx_version_set( } if (!SSL_CTX_set_max_proto_version(ctx, max_version)) { - fr_tls_log_error(NULL, "Failed setting TLS maximum version"); + fr_tls_log(NULL, "Failed setting TLS maximum version"); goto error; } } @@ -546,7 +546,7 @@ int tls_ctx_version_set( } if (!SSL_CTX_set_min_proto_version(ctx, min_version)) { - fr_tls_log_error(NULL, "Failed setting TLS minimum version"); + fr_tls_log(NULL, "Failed setting TLS minimum version"); goto error; } } @@ -615,7 +615,7 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client) ctx = SSL_CTX_new(SSLv23_method()); if (!ctx) { - fr_tls_log_error(NULL, "Failed creating TLS context"); + fr_tls_log(NULL, "Failed creating TLS context"); return NULL; } @@ -772,7 +772,7 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client) * It's also possible to add extra virtual server lookups */ if (!X509_STORE_load_locations(verify_store, conf->ca_file, conf->ca_path)) { - fr_tls_log_error(NULL, "Failed reading Trusted root CA list \"%s\"", + fr_tls_log(NULL, "Failed reading Trusted root CA list \"%s\"", conf->ca_file); goto error; } @@ -867,11 +867,11 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client) */ DEBUG3("%s chain", fr_tls_utils_x509_pkey_type(our_cert)); if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) { - fr_tls_log_error(NULL, "Failed retrieving chain certificates"); + fr_tls_log(NULL, "Failed retrieving chain certificates"); goto error; } - if (DEBUG_ENABLED3) fr_tls_log_certificate_chain(NULL, L_DBG, our_chain, our_cert); + if (DEBUG_ENABLED3) fr_tls_chain_log(NULL, L_DBG, our_chain, our_cert); } (void)SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); /* Reset */ } @@ -957,7 +957,7 @@ post_ca: if (conf->verify.check_crl) { cert_vpstore = SSL_CTX_get_cert_store(ctx); if (cert_vpstore == NULL) { - fr_tls_log_error(NULL, "Error reading Certificate Store"); + fr_tls_log(NULL, "Error reading Certificate Store"); goto error; } X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); @@ -1002,7 +1002,7 @@ post_ca: */ if (conf->cipher_list) { if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) { - fr_tls_log_error(NULL, "Failed setting cipher list"); + fr_tls_log(NULL, "Failed setting cipher list"); goto error; } } @@ -1017,7 +1017,7 @@ post_ca: ssl = SSL_new(ctx); if (!ssl) { - fr_tls_log_error(NULL, "Failed creating temporary SSL session"); + fr_tls_log(NULL, "Failed creating temporary SSL session"); goto error; } diff --git a/src/lib/tls/engine.c b/src/lib/tls/engine.c index 239769ff8bd..6d37007e8d8 100644 --- a/src/lib/tls/engine.c +++ b/src/lib/tls/engine.c @@ -206,12 +206,12 @@ static int _tls_engine_free(tls_engine_t *our_e) * so someone will investigate. */ if (unlikely(ENGINE_finish(our_e->e) != 1)) { - fr_tls_log_error(NULL, "de-init on engine %s failed", our_e->id); + fr_tls_log(NULL, "de-init on engine %s failed", our_e->id); return -1; } if (unlikely(ENGINE_free(our_e->e) != 1)) { - fr_tls_log_error(NULL, "free on engine %s failed", our_e->id); + fr_tls_log(NULL, "free on engine %s failed", our_e->id); return -1; } @@ -334,13 +334,13 @@ int fr_tls_engine_init(ENGINE **e_out, * success or 0 on error. */ if (ret != 1) { - fr_tls_log_strerror_printf("control %s failed (%i)", ctrl->name, ret); + fr_tls_strerror_printf("control %s failed (%i)", ctrl->name, ret); goto error; } } if (unlikely(ENGINE_init(e) != 1)) { - fr_tls_log_strerror_printf("failed initialising engine %s", id); + fr_tls_strerror_printf("failed initialising engine %s", id); goto error; } diff --git a/src/lib/tls/log.c b/src/lib/tls/log.c index 5bc3e9169ee..1bf73e4424a 100644 --- a/src/lib/tls/log.c +++ b/src/lib/tls/log.c @@ -97,80 +97,55 @@ static _Thread_local fr_tls_log_bio_t *request_log_bio; */ static _Thread_local fr_tls_log_bio_t *global_log_bio; -static void _tls_ctx_print_cert_line(char const *file, int line, - request_t *request, fr_log_type_t log_type, int idx, X509 *cert) +static void _tls_cert_line_push(char const *file, int line, int idx, X509 *cert) { char subject[1024]; X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject)); subject[sizeof(subject) - 1] = '\0'; - if (request) { - log_request(log_type, fr_debug_lvl, request, file, line, - "[%i] %s %s", idx, fr_tls_utils_x509_pkey_type(cert), subject); - } else { - fr_log(LOG_DST, log_type, file, line, - "[%i] %s %s", idx, fr_tls_utils_x509_pkey_type(cert), subject); - } + _fr_strerror_printf_push(file, line, "[%i] %s %s", idx, fr_tls_utils_x509_pkey_type(cert), subject); } -static void _tls_ctx_print_cert_line_marker(char const *file, int line, - request_t *request, fr_log_type_t log_type, int idx, - X509 *cert, bool marker) +static void _tls_cert_line_marker_push(char const *file, int line, + int idx, X509 *cert, bool marker) { char subject[1024]; X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject)); subject[sizeof(subject) - 1] = '\0'; - if (request) { - log_request(log_type, fr_debug_lvl, request, file, line, - "%s [%i] %s %s", marker ? ">" : " ", - idx, fr_tls_utils_x509_pkey_type(cert), subject); - } else { - fr_log(LOG_DST, log_type, file, line, - "%s [%i] %s %s", marker ? ">" : " ", - idx, fr_tls_utils_x509_pkey_type(cert), subject); - } + _fr_strerror_printf_push(file, line, "%s [%i] %s %s", marker ? ">" : " ", + idx, fr_tls_utils_x509_pkey_type(cert), subject); } -static void _tls_ctx_print_cert_line_no_idx(char const *file, int line, - request_t *request, fr_log_type_t log_type, X509 *cert) +static void _tls_cert_line_marker_no_idx_push(char const *file, int line, X509 *cert) { char subject[1024]; X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject)); subject[sizeof(subject) - 1] = '\0'; - if (request) { - log_request(log_type, fr_debug_lvl, request, file, line, - "%s %s", fr_tls_utils_x509_pkey_type(cert), subject); - } else { - fr_log(LOG_DST, log_type, file, line, - "%s %s", fr_tls_utils_x509_pkey_type(cert), subject); - } + _fr_strerror_printf_push(file, line, "%s %s", fr_tls_utils_x509_pkey_type(cert), subject); } DIAG_OFF(DIAG_UNKNOWN_PRAGMAS) DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */ -/** Print out the current stack of certs +/** Print out the current stack of certs to the thread local error buffer * * @param[in] file File where this function is being called. * @param[in] line Line where this function is being called. - * @param[in] request Current request, may be NULL. - * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc... * @param[in] chain The certificate chain. * @param[in] cert The leaf certificate. */ -void _fr_tls_log_certificate_chain(char const *file, int line, - request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *cert) +void _fr_tls_chain_push(char const *file, int line, STACK_OF(X509) *chain, X509 *cert) { int i; for (i = sk_X509_num(chain); i > 0 ; i--) { - _tls_ctx_print_cert_line(file, line, request, log_type, i, sk_X509_value(chain, i - 1)); + _tls_cert_line_push(file, line, i, sk_X509_value(chain, i - 1)); } - if (cert) _tls_ctx_print_cert_line(file, line, request, log_type, i, cert); + if (cert) _tls_cert_line_push(file, line, i, cert); } /** Print out the current stack of certs @@ -181,32 +156,77 @@ void _fr_tls_log_certificate_chain(char const *file, int line, * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc... * @param[in] chain The certificate chain. * @param[in] cert The leaf certificate. + */ +void _fr_tls_chain_log(char const *file, int line, + request_t *request, fr_log_type_t log_type, + STACK_OF(X509) *chain, X509 *cert) +{ + /* + * Dump to the thread local buffer + */ + fr_strerror_clear(); + _fr_tls_chain_push(file, line, chain, cert); + if (request) { + log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL); + } else { + fr_perror(NULL); + } +} + +/** Print out the current stack of certs to the thread local error buffer + * + * @param[in] file File where this function is being called. + * @param[in] line Line where this function is being called. + * @param[in] chain The certificate chain. + * @param[in] cert The leaf certificate. * @param[in] marker The certificate we want to mark. */ -void _fr_tls_log_certificate_chain_marker(char const *file, int line, - request_t *request, fr_log_type_t log_type, - STACK_OF(X509) *chain, X509 *cert, X509 *marker) +void _fr_tls_chain_marker_push(char const *file, int line, + STACK_OF(X509) *chain, X509 *cert, X509 *marker) { int i; for (i = sk_X509_num(chain); i > 0 ; i--) { X509 *selected = sk_X509_value(chain, i - 1); - _tls_ctx_print_cert_line_marker(file, line, request, log_type, i, selected, (selected == marker)); + _tls_cert_line_marker_push(file, line, i, selected, (selected == marker)); + } + if (cert) _tls_cert_line_marker_push(file, line, i, cert, (cert == marker)); +} + +/** Print out the current stack of certs + * + * @param[in] file File where this function is being called. + * @param[in] line Line where this function is being called. + * @param[in] request Current request, may be NULL. + * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc... + * @param[in] chain The certificate chain. + * @param[in] cert The leaf certificate. + * @param[in] marker The certificate we want to mark. + */ +void _fr_tls_chain_marker_log(char const *file, int line, + request_t *request, fr_log_type_t log_type, + STACK_OF(X509) *chain, X509 *cert, X509 *marker) +{ + /* + * Dump to the thread local buffer + */ + fr_strerror_clear(); + _fr_tls_chain_marker_push(file, line, chain, cert, marker); + if (request) { + log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL); + } else { + fr_perror(NULL); } - if (cert) _tls_ctx_print_cert_line_marker(file, line, request, log_type, i, cert, (cert == marker)); } /** Print out the current stack of X509 objects (certificates only) * * @param[in] file File where this function is being called. * @param[in] line Line where this function is being called. - * @param[in] request Current request, may be NULL. - * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc... * @param[in] objects A stack of X509 objects */ -void _fr_tls_log_x509_objects(char const *file, int line, - request_t *request, fr_log_type_t log_type, - STACK_OF(X509_OBJECT) *objects) +void _fr_tls_x509_objects_push(char const *file, int line, + STACK_OF(X509_OBJECT) *objects) { int i; @@ -215,7 +235,10 @@ void _fr_tls_log_x509_objects(char const *file, int line, switch (X509_OBJECT_get_type(obj)) { case X509_LU_X509: /* X509 certificate */ - _tls_ctx_print_cert_line_no_idx(file, line, request, log_type, X509_OBJECT_get0_X509(obj)); + /* + * Dump to the thread local buffer + */ + _tls_cert_line_marker_no_idx_push(file, line, X509_OBJECT_get0_X509(obj)); break; case X509_LU_CRL: /* Certificate revocation list */ @@ -227,6 +250,28 @@ void _fr_tls_log_x509_objects(char const *file, int line, } } +/** Print out the current stack of X509 objects (certificates only) + * + * @param[in] file File where this function is being called. + * @param[in] line Line where this function is being called. + * @param[in] request Current request, may be NULL. + * @param[in] log_type The type of log message to produce L_INFO, L_ERR, L_DBG etc... + * @param[in] objects A stack of X509 objects + */ +void _fr_tls_x509_objects_log(char const *file, int line, + request_t *request, fr_log_type_t log_type, + STACK_OF(X509_OBJECT) *objects) +{ + + fr_strerror_clear(); + _fr_tls_x509_objects_push(file, line, objects); + if (request) { + log_request_perror(log_type, L_DBG_LVL_OFF, request, file, line, NULL); + } else { + fr_perror(NULL); + } +} + DIAG_OFF(format-nonliteral) /** Print errors in the TLS thread local error stack * @@ -427,7 +472,7 @@ int fr_tls_log_io_error(request_t *request, int err, char const *fmt, ...) * @param[in] ... Arguments for msg. * @return the number of errors drained from the stack. */ -int fr_tls_log_strerror_printf(char const *msg, ...) +int fr_tls_strerror_printf(char const *msg, ...) { va_list ap; int ret; @@ -448,7 +493,7 @@ int fr_tls_log_strerror_printf(char const *msg, ...) * @param[in] ... Arguments for msg. * @return the number of errors drained from the stack. */ -int fr_tls_log_error(request_t *request, char const *msg, ...) +int fr_tls_log(request_t *request, char const *msg, ...) { va_list ap; int ret; @@ -465,7 +510,7 @@ int fr_tls_log_error(request_t *request, char const *msg, ...) /** Clear errors in the TLS thread local error stack * */ -void tls_log_clear(void) +void fr_tls_log_clear(void) { while (ERR_get_error() != 0); } diff --git a/src/lib/tls/log.h b/src/lib/tls/log.h index 040b31db692..92c04e43e3c 100644 --- a/src/lib/tls/log.h +++ b/src/lib/tls/log.h @@ -36,31 +36,82 @@ RCSIDH(tls_log_h, "$Id$") #include "base.h" -#define fr_tls_log_certificate_chain(...) \ - _fr_tls_log_certificate_chain( __FILE__, __LINE__, ## __VA_ARGS__) -void _fr_tls_log_certificate_chain(char const *file, int line, - request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf); - -#define fr_tls_log_certificate_chain_marker(...) \ - _fr_tls_log_certificate_chain_marker( __FILE__, __LINE__, ## __VA_ARGS__) -void _fr_tls_log_certificate_chain_marker(char const *file, int line, - request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, - X509 *leaf, X509 *marker); - -#define fr_tls_log_x509_objects(...) \ - _fr_tls_log_x509_objects( __FILE__, __LINE__, ## __VA_ARGS__) -void _fr_tls_log_x509_objects(char const *file, int line, +/** Push a representation of a certificate chain onto the thread local error stack + * + * @param[in] _chain A stack of X509 certificates representing the chain. + * @param[in] _leaf The leaf certificate. May be NULL. + * @param[in] _marker The certificate to emit a marker for. + */ +#define fr_tls_chain_push(_chain, _leaf) \ + _fr_tls_chain_push( __FILE__, __LINE__, _chain, _leaf) +void _fr_tls_chain_push(char const *file, int line, STACK_OF(X509) *chain, X509 *cert); + +/** Write out a certificate chain to the request or global log + * + * @param[in] _request The current request or NULL if you want to write to the global log. + * @param[in] _log_type Type of log message to create. + * @param[in] _chain A stack of X509 certificates representing the chain. + * @param[in] _leaf The leaf certificate. May be NULL. + */ +#define fr_tls_chain_log(_request, _log_type, _chain, _leaf) \ + _fr_tls_chain_log( __FILE__, __LINE__, _request, _log_type, _chain, _leaf) +void _fr_tls_chain_log(char const *file, int line, + request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf); + +/** Push a representation of a certificate chain with a marker onto the thread local error stack + * + * @param[in] _chain A stack of X509 certificates representing the chain. + * @param[in] _leaf The leaf certificate. May be NULL. + * @param[in] _marker The certificate to emit a marker for. + */ +#define fr_tls_chain_marker_push(_chain, _leaf, _marker) \ + _fr_tls_chain_push( __FILE__, __LINE__, _chain, _leaf, _marker) +void _fr_tls_chain_marker_push(char const *file, int line, + STACK_OF(X509) *chain, X509 *cert, X509 *marker); + +/** Write out a certificate chain with a marker to the request or global log + * + * @param[in] _request The current request or NULL if you want to write to the global log. + * @param[in] _log_type Type of log message to create. + * @param[in] _chain A stack of X509 certificates representing the chain. + * @param[in] _leaf The leaf certificate. May be NULL. + * @param[in] _marker Emit a marker for this certificate. + */ +#define fr_tls_chain_marker_log(_request, _log_type, _chain, _leaf, _marker) \ + _fr_tls_chain_marker_log( __FILE__, __LINE__, _request, _log_type, _chain, _leaf, _marker) +void _fr_tls_chain_marker_log(char const *file, int line, + request_t *request, fr_log_type_t log_type, STACK_OF(X509) *chain, X509 *leaf, + X509 *marker); + +/** Push a collection of X509 objects into the thread local error stack + * + * @param[in] _objects to push onto the thread local error stack + */ +#define fr_tls_x509_objects_push(_objects) \ + _fr_tls_x509_objects_push( __FILE__, __LINE__, _objects) +void _fr_tls_x509_objects_push(char const *file, int line, + STACK_OF(X509_OBJECT) *objects); + +/** Write out a collection of X509 objects to the request or global log + * + * @param[in] _request The current request or NULL if you want to write to the global log. + * @param[in] _log_type Type of log message to create. + * @param[in] _objects to print to the log + */ +#define fr_tls_x509_objects_log(_request, _log_type, _objects) \ + _fr_tls_x509_objects_log( __FILE__, __LINE__, _request, _log_type, _objects) +void _fr_tls_x509_objects_log(char const *file, int line, request_t *request, fr_log_type_t log_type, STACK_OF(X509_OBJECT) *objects); int fr_tls_log_io_error(request_t *request, int err, char const *msg, ...) CC_HINT(format (printf, 3, 4)); -int fr_tls_log_strerror_printf(char const *msg, ...) CC_HINT(format (printf, 1, 2)); +int fr_tls_strerror_printf(char const *msg, ...) CC_HINT(format (printf, 1, 2)); -int fr_tls_log_error(request_t *request, char const *msg, ...) CC_HINT(format (printf, 2, 3)); +int fr_tls_log(request_t *request, char const *msg, ...) CC_HINT(format (printf, 2, 3)); -void tls_log_clear(void); +void fr_tls_log_clear(void); /** Return a BIO that writes to the log of the specified request * diff --git a/src/lib/tls/pairs.c b/src/lib/tls/pairs.c index 06193f415b4..729e0b2f448 100644 --- a/src/lib/tls/pairs.c +++ b/src/lib/tls/pairs.c @@ -76,7 +76,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c if (unlikely(X509_NAME_print_ex(fr_tls_bio_dbuff_thread_local(vp, 256, 0), X509_get_subject_name(cert), 0, XN_FLAG_ONELINE) < 0)) { fr_tls_bio_dbuff_thread_local_clear(); - fr_tls_log_error(request, "Failed retrieving certificate subject"); + fr_tls_log(request, "Failed retrieving certificate subject"); error: fr_pair_list_free(pair_list); return -1; @@ -98,7 +98,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c slen = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, cn, (size_t)slen + 1); if (slen < 0) { - fr_tls_log_error(request, "Failed retrieving certificate common name"); + fr_tls_log(request, "Failed retrieving certificate common name"); goto error; } } @@ -129,7 +129,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c if (unlikely(X509_NAME_print_ex(fr_tls_bio_dbuff_thread_local(vp, 256, 0), X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE) < 0)) { fr_tls_bio_dbuff_thread_local_clear(); - fr_tls_log_error(request, "Failed retrieving certificate issuer"); + fr_tls_log(request, "Failed retrieving certificate issuer"); goto error; } fr_pair_value_bstrdup_buffer_shallow(vp, fr_tls_bio_dbuff_thread_local_finalise_bstr(), true); @@ -142,7 +142,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c serial = X509_get0_serialNumber(cert); if (!serial) { - fr_tls_log_error(request, "Failed retrieving certificate serial"); + fr_tls_log(request, "Failed retrieving certificate serial"); goto error; } diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c index 05207ad289d..ed8d169b368 100644 --- a/src/lib/tls/session.c +++ b/src/lib/tls/session.c @@ -1249,7 +1249,7 @@ static unlang_action_t tls_session_async_handshake_done_round(UNUSED rlm_rcode_t RDEBUG2("Asking for more data in tunnel"); } else { - fr_tls_log_error(NULL, NULL); + fr_tls_log(NULL, NULL); record_init(&tls_session->dirty_in); goto error; } @@ -1709,7 +1709,7 @@ fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, ssl = SSL_new(ssl_ctx); if (ssl == NULL) { - fr_tls_log_error(request, "Error creating new TLS session"); + fr_tls_log(request, "Error creating new TLS session"); return NULL; } fr_pair_list_init(&tls_session->extra_pairs); @@ -1804,19 +1804,19 @@ fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, RDEBUG2("Loading TLS session certificate \"%pV\"", &vp->data); if (SSL_use_certificate_file(tls_session->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) { - fr_tls_log_error(request, "Failed loading TLS session certificate \"%s\"", + fr_tls_log(request, "Failed loading TLS session certificate \"%s\"", vp->vp_strvalue); goto error; } if (SSL_use_PrivateKey_file(tls_session->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) { - fr_tls_log_error(request, "Failed loading TLS session certificate \"%s\"", + fr_tls_log(request, "Failed loading TLS session certificate \"%s\"", vp->vp_strvalue); goto error; } if (SSL_check_private_key(tls_session->ssl) != 1) { - fr_tls_log_error(request, "Failed validating TLS session certificate \"%s\"", + fr_tls_log(request, "Failed validating TLS session certificate \"%s\"", vp->vp_strvalue); goto error; } diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c index fa48954e104..3f68cc3f011 100644 --- a/src/lib/tls/verify.c +++ b/src/lib/tls/verify.c @@ -91,7 +91,7 @@ static void tls_verify_error_detail(request_t *request, SSL_CTX *ctx, int err) RDEBUG2("Static certificates in verification store are"); if (RDEBUG_ENABLED2) { RINDENT(); - fr_tls_log_x509_objects(request, L_DBG, X509_STORE_get0_objects(store)); + fr_tls_x509_objects_log(request, L_DBG, X509_STORE_get0_objects(store)); REXDENT(); } break; diff --git a/src/modules/rlm_cipher/rlm_cipher.c b/src/modules/rlm_cipher/rlm_cipher.c index b02049c81c2..9dda19cf7ce 100644 --- a/src/modules/rlm_cipher/rlm_cipher.c +++ b/src/modules/rlm_cipher/rlm_cipher.c @@ -420,7 +420,7 @@ static int cipher_rsa_private_key_file_load(TALLOC_CTX *ctx, void *out, void *pa fclose(fp); if (!pkey) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); cf_log_perr(ci, "Error loading private certificate file \"%s\"", filename); return -1; @@ -483,7 +483,7 @@ static int cipher_rsa_certificate_file_load(TALLOC_CTX *ctx, void *out, void *pa fclose(fp); if (!cert) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); cf_log_perr(ci, "Error loading certificate file \"%s\"", filename); return -1; @@ -503,7 +503,7 @@ static int cipher_rsa_certificate_file_load(TALLOC_CTX *ctx, void *out, void *pa */ pkey = X509_get_pubkey(cert); if (!pkey) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); cf_log_perr(ci, "Failed extracting public key from certificate"); return -1; @@ -604,7 +604,7 @@ static xlat_action_t cipher_rsa_encrypt_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, RHEXDUMP3((uint8_t const *)plaintext, plaintext_len, "Plaintext (%zu bytes)", plaintext_len); if (EVP_PKEY_encrypt(t->evp_encrypt_ctx, NULL, &ciphertext_len, (unsigned char const *)plaintext, plaintext_len) <= 0) { - fr_tls_log_error(request, "Failed getting length of encrypted plaintext"); + fr_tls_log(request, "Failed getting length of encrypted plaintext"); return XLAT_ACTION_FAIL; } @@ -612,7 +612,7 @@ static xlat_action_t cipher_rsa_encrypt_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, MEM(fr_value_box_mem_alloc(vb, &ciphertext, vb, NULL, ciphertext_len, false) == 0); if (EVP_PKEY_encrypt(t->evp_encrypt_ctx, ciphertext, &ciphertext_len, (unsigned char const *)plaintext, plaintext_len) <= 0) { - fr_tls_log_error(request, "Failed encrypting plaintext"); + fr_tls_log(request, "Failed encrypting plaintext"); talloc_free(vb); return XLAT_ACTION_FAIL; } @@ -667,17 +667,17 @@ static xlat_action_t cipher_rsa_sign_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, * First produce a digest of the message */ if (unlikely(EVP_DigestInit_ex(t->evp_md_ctx, inst->rsa->sig_digest, NULL) <= 0)) { - fr_tls_log_error(request, "Failed initialising message digest"); + fr_tls_log(request, "Failed initialising message digest"); return XLAT_ACTION_FAIL; } if (EVP_DigestUpdate(t->evp_md_ctx, msg, msg_len) <= 0) { - fr_tls_log_error(request, "Failed ingesting message"); + fr_tls_log(request, "Failed ingesting message"); return XLAT_ACTION_FAIL; } if (EVP_DigestFinal_ex(t->evp_md_ctx, t->digest_buff, &digest_len) <= 0) { - fr_tls_log_error(request, "Failed finalising message digest"); + fr_tls_log(request, "Failed finalising message digest"); return XLAT_ACTION_FAIL; } fr_assert((size_t)digest_len == talloc_array_length(t->digest_buff)); @@ -686,14 +686,14 @@ static xlat_action_t cipher_rsa_sign_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, * Then sign the digest */ if (EVP_PKEY_sign(t->evp_sign_ctx, NULL, &sig_len, t->digest_buff, (size_t)digest_len) <= 0) { - fr_tls_log_error(request, "Failed getting length of digest"); + fr_tls_log(request, "Failed getting length of digest"); return XLAT_ACTION_FAIL; } MEM(vb = fr_value_box_alloc_null(ctx)); MEM(fr_value_box_mem_alloc(vb, &sig, vb, NULL, sig_len, false) == 0); if (EVP_PKEY_sign(t->evp_sign_ctx, sig, &sig_len, t->digest_buff, (size_t)digest_len) <= 0) { - fr_tls_log_error(request, "Failed signing message digest"); + fr_tls_log(request, "Failed signing message digest"); talloc_free(vb); return XLAT_ACTION_FAIL; } @@ -744,7 +744,7 @@ static xlat_action_t cipher_rsa_decrypt_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, */ RHEXDUMP3(ciphertext, ciphertext_len, "Ciphertext (%zu bytes)", ciphertext_len); if (EVP_PKEY_decrypt(t->evp_decrypt_ctx, NULL, &plaintext_len, ciphertext, ciphertext_len) <= 0) { - fr_tls_log_error(request, "Failed getting length of cleartext"); + fr_tls_log(request, "Failed getting length of cleartext"); return XLAT_ACTION_FAIL; } @@ -752,7 +752,7 @@ static xlat_action_t cipher_rsa_decrypt_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, MEM(fr_value_box_bstr_alloc(vb, &plaintext, vb, NULL, plaintext_len, true) == 0); if (EVP_PKEY_decrypt(t->evp_decrypt_ctx, (unsigned char *)plaintext, &plaintext_len, ciphertext, ciphertext_len) <= 0) { - fr_tls_log_error(request, "Failed decrypting ciphertext"); + fr_tls_log(request, "Failed decrypting ciphertext"); talloc_free(vb); return XLAT_ACTION_FAIL; } @@ -841,17 +841,17 @@ static xlat_action_t cipher_rsa_verify_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, * First produce a digest of the message */ if (unlikely(EVP_DigestInit_ex(t->evp_md_ctx, inst->rsa->sig_digest, NULL) <= 0)) { - fr_tls_log_error(request, "Failed initialising message digest"); + fr_tls_log(request, "Failed initialising message digest"); return XLAT_ACTION_FAIL; } if (EVP_DigestUpdate(t->evp_md_ctx, msg, msg_len) <= 0) { - fr_tls_log_error(request, "Failed ingesting message"); + fr_tls_log(request, "Failed ingesting message"); return XLAT_ACTION_FAIL; } if (EVP_DigestFinal_ex(t->evp_md_ctx, t->digest_buff, &digest_len) <= 0) { - fr_tls_log_error(request, "Failed finalising message digest"); + fr_tls_log(request, "Failed finalising message digest"); return XLAT_ACTION_FAIL; } fr_assert((size_t)digest_len == talloc_array_length(t->digest_buff)); @@ -873,7 +873,7 @@ static xlat_action_t cipher_rsa_verify_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, break; default: - fr_tls_log_error(request, "Failed validating signature"); + fr_tls_log(request, "Failed validating signature"); return XLAT_ACTION_FAIL; } @@ -927,7 +927,7 @@ static xlat_action_t cipher_fingerprint_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, MEM(fr_value_box_mem_alloc(vb, &digest, vb, NULL, md_len, false) == 0); if (X509_digest(inst->rsa->x509_certificate_file, md, digest, (unsigned int *)&md_len) != 1) { - fr_tls_log_error(request, "Failed calculating certificate fingerprint"); + fr_tls_log(request, "Failed calculating certificate fingerprint"); talloc_free(vb); return XLAT_ACTION_FAIL; } @@ -955,7 +955,7 @@ static xlat_action_t cipher_serial_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, serial = X509_get0_serialNumber(inst->rsa->x509_certificate_file); if (!serial) { - fr_tls_log_error(request, "Failed retrieving certificate serial"); + fr_tls_log(request, "Failed retrieving certificate serial"); return XLAT_ACTION_FAIL; } @@ -1027,7 +1027,7 @@ static int _evp_md_ctx_free(EVP_MD_CTX *evp_md_ctx) static int cipher_rsa_padding_params_set(EVP_PKEY_CTX *evp_pkey_ctx, cipher_rsa_t const *rsa_inst) { if (unlikely(EVP_PKEY_CTX_set_rsa_padding(evp_pkey_ctx, rsa_inst->padding)) <= 0) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed setting RSA padding type", __FUNCTION__); return -1; } @@ -1046,13 +1046,13 @@ static int cipher_rsa_padding_params_set(EVP_PKEY_CTX *evp_pkey_ctx, cipher_rsa_ */ case RSA_PKCS1_OAEP_PADDING: if (unlikely(EVP_PKEY_CTX_set_rsa_oaep_md(evp_pkey_ctx, rsa_inst->oaep->oaep_digest) <= 0)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed setting OAEP digest", __FUNCTION__); return -1; } if (unlikely(EVP_PKEY_CTX_set_rsa_mgf1_md(evp_pkey_ctx, rsa_inst->oaep->mgf1_digest) <= 0)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed setting MGF1 digest", __FUNCTION__); return -1; } @@ -1070,7 +1070,7 @@ static int cipher_rsa_padding_params_set(EVP_PKEY_CTX *evp_pkey_ctx, cipher_rsa_ */ MEM(label = talloc_bstrndup(evp_pkey_ctx, rsa_inst->oaep->label, label_len)); if (unlikely(EVP_PKEY_CTX_set0_rsa_oaep_label(evp_pkey_ctx, label, label_len) <= 0)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed setting OAEP padding label", __FUNCTION__); OPENSSL_free(label); return -1; @@ -1110,7 +1110,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) */ ti->evp_encrypt_ctx = EVP_PKEY_CTX_new(inst->rsa->certificate_file, NULL); if (!ti->evp_encrypt_ctx) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed allocating encrypt EVP_PKEY_CTX", __FUNCTION__); return -1; } @@ -1122,7 +1122,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) * Configure encrypt */ if (unlikely(EVP_PKEY_encrypt_init(ti->evp_encrypt_ctx) <= 0)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed initialising encrypt EVP_PKEY_CTX", __FUNCTION__); return XLAT_ACTION_FAIL; } @@ -1136,7 +1136,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) */ ti->ePAIR_VERIFY_ctx = EVP_PKEY_CTX_new(inst->rsa->certificate_file, NULL); if (!ti->ePAIR_VERIFY_ctx) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed allocating verify EVP_PKEY_CTX", __FUNCTION__); return -1; } @@ -1148,7 +1148,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) * Configure verify */ if (unlikely(EVP_PKEY_verify_init(ti->ePAIR_VERIFY_ctx) <= 0)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed initialising verify EVP_PKEY_CTX", __FUNCTION__); return XLAT_ACTION_FAIL; } @@ -1164,7 +1164,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) } if (unlikely(EVP_PKEY_CTX_set_signature_md(ti->ePAIR_VERIFY_ctx, inst->rsa->sig_digest)) <= 0) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed setting signature digest type", __FUNCTION__); return XLAT_ACTION_FAIL; } @@ -1176,7 +1176,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) */ ti->evp_decrypt_ctx = EVP_PKEY_CTX_new(inst->rsa->private_key_file, NULL); if (!ti->evp_decrypt_ctx) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed allocating decrypt EVP_PKEY_CTX", __FUNCTION__); return -1; } @@ -1188,7 +1188,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) * Configure decrypt */ if (unlikely(EVP_PKEY_decrypt_init(ti->evp_decrypt_ctx) <= 0)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed initialising decrypt EVP_PKEY_CTX", __FUNCTION__); return XLAT_ACTION_FAIL; } @@ -1202,7 +1202,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) */ ti->evp_sign_ctx = EVP_PKEY_CTX_new(inst->rsa->private_key_file, NULL); if (!ti->evp_sign_ctx) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed allocating sign EVP_PKEY_CTX", __FUNCTION__); return -1; } @@ -1214,7 +1214,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) * Configure sign */ if (unlikely(EVP_PKEY_sign_init(ti->evp_sign_ctx) <= 0)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed initialising sign EVP_PKEY_CTX", __FUNCTION__); return XLAT_ACTION_FAIL; } @@ -1230,7 +1230,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) } if (unlikely(EVP_PKEY_CTX_set_signature_md(ti->evp_sign_ctx, inst->rsa->sig_digest)) <= 0) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed setting signature digest type", __FUNCTION__); return XLAT_ACTION_FAIL; } @@ -1240,7 +1240,7 @@ static int cipher_rsa_thread_instantiate(module_thread_inst_ctx_t const *mctx) */ ti->evp_md_ctx = EVP_MD_CTX_create(); if (!ti->evp_md_ctx) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); PERROR("%s: Failed allocating EVP_MD_CTX", __FUNCTION__); return -1; } @@ -1328,7 +1328,7 @@ static int mod_bootstrap(module_inst_ctx_t const *mctx) if (inst->rsa->private_key_file && inst->rsa->x509_certificate_file) { if (X509_check_private_key(inst->rsa->x509_certificate_file, inst->rsa->private_key_file) == 0) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); cf_log_perr(conf, "Private key does not match the certificate public key"); return -1; } diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index 07df0f68478..3dc81f6bf11 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@ -306,7 +306,7 @@ static ssize_t eap_ttls_decode_pair(request_t *request, TALLOC_CTX *ctx, fr_dcur */ if (SSL_export_keying_material(ssl, challenge, vp->vp_length + 1, label, sizeof(label) - 1, NULL, 0, 0) != 1) { - fr_tls_log_strerror_printf("Failed generating phase2 challenge"); + fr_tls_strerror_printf("Failed generating phase2 challenge"); goto error; } diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index ebbe99b1913..94476acc130 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -980,20 +980,20 @@ ntlm_auth_err: MEM(evp_ctx = EVP_CIPHER_CTX_new()); if (unlikely(EVP_CIPHER_CTX_set_key_length(evp_ctx, nt_password->vp_length)) != 1) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); RPERROR("Failed setting key length"); return -1; } if (unlikely(EVP_EncryptInit_ex(evp_ctx, EVP_rc4(), NULL, nt_password->vp_octets, NULL) != 1)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); RPERROR("Failed initialising RC4 ctx"); return -1; } if (unlikely(EVP_EncryptUpdate(evp_ctx, nt_pass_decrypted, &ntlen, new_nt_password, ntlen) != 1)) { - fr_tls_log_strerror_printf(NULL); + fr_tls_strerror_printf(NULL); RPERROR("Failed ingesting new password"); return -1; } diff --git a/src/modules/rlm_ocsp/ocsp.c b/src/modules/rlm_ocsp/ocsp.c index 88eefbf076b..63db754e174 100644 --- a/src/modules/rlm_ocsp/ocsp.c +++ b/src/modules/rlm_ocsp/ocsp.c @@ -198,7 +198,7 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) cert = SSL_get_certificate(ssl); if (!cert) { - fr_tls_log_error(request, "No server certificate found in SSL session"); + fr_tls_log(request, "No server certificate found in SSL session"); error: X509_STORE_CTX_free(server_store_ctx); X509_STORE_free(server_store); @@ -208,7 +208,7 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) server_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl)); if (!server_store) { - fr_tls_log_error(request, "Failed retrieving SSL session cert store"); + fr_tls_log(request, "Failed retrieving SSL session cert store"); goto error; } @@ -223,7 +223,7 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) (void)SSL_get0_chain_certs(ssl, &our_chain); if (!our_chain) { #endif - fr_tls_log_error(request, "Failed retrieving chain certificates from current SSL session"); + fr_tls_log(request, "Failed retrieving chain certificates from current SSL session"); goto error; } @@ -235,7 +235,7 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) if (RDEBUG_ENABLED3) { RDEBUG3("Current SSL session cert store contents"); RINDENT(); - fr_tls_log_certificate_chain(request, L_DBG, our_chain, cert); + fr_tls_chain_log(request, L_DBG, our_chain, cert); REXDENT(); } @@ -253,7 +253,7 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) for (i = 0; i < num; i++) { if (X509_STORE_add_cert(server_store, sk_X509_value(our_chain, i)) != 1) { - fr_tls_log_error(request, "Failed adding certificate to trusted store"); + fr_tls_log(request, "Failed adding certificate to trusted store"); goto error; } } @@ -266,7 +266,7 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) */ MEM(server_store_ctx = X509_STORE_CTX_new()); if (X509_STORE_CTX_init(server_store_ctx, server_store, NULL, NULL) == 0) { - fr_tls_log_error(request, "Failed initialising SSL session cert store ctx"); + fr_tls_log(request, "Failed initialising SSL session cert store ctx"); goto error; } @@ -279,14 +279,14 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) subject = X509_get_subject_name(cert); if (!subject) { - fr_tls_log_error(request, "Couldn't retrieve subject name of SSL session cert"); + fr_tls_log(request, "Couldn't retrieve subject name of SSL session cert"); goto error; } MEM(subject_str = X509_NAME_oneline(subject, NULL, 0)); issuer = X509_get_issuer_name(cert); if (!issuer) { - fr_tls_log_error(request, "Couldn't retrieve issuer name of SSL session cert"); + fr_tls_log(request, "Couldn't retrieve issuer name of SSL session cert"); OPENSSL_free(subject_str); goto error; } @@ -294,11 +294,11 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) switch (ret) { case 0: - fr_tls_log_error(request, "Issuer \"%s\" of \"%s\" not found in certificate store", + fr_tls_log(request, "Issuer \"%s\" of \"%s\" not found in certificate store", issuer_str, subject_str); break; default: - fr_tls_log_error(request, "Error retrieving issuer \"%s\" of \"%s\" from certificate store", + fr_tls_log(request, "Error retrieving issuer \"%s\" of \"%s\" from certificate store", issuer_str, subject_str); break; } diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c index e63d60cfb45..b8bde1dd9f4 100644 --- a/src/modules/rlm_pap/rlm_pap.c +++ b/src/modules/rlm_pap/rlm_pap.c @@ -651,7 +651,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t (int)iterations, evp_md, (int)digest_len, (unsigned char *)digest) == 0) { - fr_tls_log_error(request, "PBKDF2 digest failure"); + fr_tls_log(request, "PBKDF2 digest failure"); goto finish; }