v2 - don't wrap string for a couple of words, and be more consistent
with wrapping (use curly braces for ifs with wrapping statements)
v3 - change an incorrect crypto_msg() call back to msg()
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54A430A2.5000409@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9374
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -103,13 +103,15 @@ setup_engine (const char *engine) |
103 | 103 |
if ((e = ENGINE_by_id (engine)) == NULL |
104 | 104 |
&& (e = try_load_engine (engine)) == NULL) |
105 | 105 |
{ |
106 |
- msg (M_FATAL, "OpenSSL error: cannot load engine '%s'", engine); |
|
106 |
+ crypto_msg (M_FATAL, "OpenSSL error: cannot load engine '%s'", |
|
107 |
+ engine); |
|
107 | 108 |
} |
108 | 109 |
|
109 | 110 |
if (!ENGINE_set_default (e, ENGINE_METHOD_ALL)) |
110 | 111 |
{ |
111 |
- msg (M_FATAL, "OpenSSL error: ENGINE_set_default failed on engine '%s'", |
|
112 |
- engine); |
|
112 |
+ crypto_msg (M_FATAL, |
|
113 |
+ "OpenSSL error: ENGINE_set_default failed on engine '%s'", |
|
114 |
+ engine); |
|
113 | 115 |
} |
114 | 116 |
|
115 | 117 |
msg (M_INFO, "Initializing OpenSSL support for engine '%s'", |
... | ... |
@@ -393,17 +395,20 @@ key_des_check (uint8_t *key, int key_len, int ndc) |
393 | 393 |
DES_cblock *dc = (DES_cblock*) buf_read_alloc (&b, sizeof (DES_cblock)); |
394 | 394 |
if (!dc) |
395 | 395 |
{ |
396 |
- msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material"); |
|
396 |
+ crypto_msg (D_CRYPT_ERRORS, |
|
397 |
+ "CRYPTO INFO: check_key_DES: insufficient key material"); |
|
397 | 398 |
goto err; |
398 | 399 |
} |
399 | 400 |
if (DES_is_weak_key(dc)) |
400 | 401 |
{ |
401 |
- msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); |
|
402 |
+ crypto_msg (D_CRYPT_ERRORS, |
|
403 |
+ "CRYPTO INFO: check_key_DES: weak key detected"); |
|
402 | 404 |
goto err; |
403 | 405 |
} |
404 | 406 |
if (!DES_check_key_parity (dc)) |
405 | 407 |
{ |
406 |
- msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected"); |
|
408 |
+ crypto_msg (D_CRYPT_ERRORS, |
|
409 |
+ "CRYPTO INFO: check_key_DES: bad parity detected"); |
|
407 | 410 |
goto err; |
408 | 411 |
} |
409 | 412 |
} |
... | ... |
@@ -452,7 +457,7 @@ cipher_kt_get (const char *ciphername) |
452 | 452 |
cipher = EVP_get_cipherbyname (ciphername); |
453 | 453 |
|
454 | 454 |
if (NULL == cipher) |
455 |
- msg (M_SSLERR, "Cipher algorithm '%s' not found", ciphername); |
|
455 |
+ crypto_msg (M_FATAL, "Cipher algorithm '%s' not found", ciphername); |
|
456 | 456 |
|
457 | 457 |
if (EVP_CIPHER_key_length (cipher) > MAX_CIPHER_KEY_LENGTH) |
458 | 458 |
msg (M_FATAL, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum key size (%d bytes)", |
... | ... |
@@ -536,13 +541,13 @@ cipher_ctx_init (EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, |
536 | 536 |
|
537 | 537 |
EVP_CIPHER_CTX_init (ctx); |
538 | 538 |
if (!EVP_CipherInit (ctx, kt, NULL, NULL, enc)) |
539 |
- msg (M_SSLERR, "EVP cipher init #1"); |
|
539 |
+ crypto_msg (M_FATAL, "EVP cipher init #1"); |
|
540 | 540 |
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH |
541 | 541 |
if (!EVP_CIPHER_CTX_set_key_length (ctx, key_len)) |
542 |
- msg (M_SSLERR, "EVP set key size"); |
|
542 |
+ crypto_msg (M_FATAL, "EVP set key size"); |
|
543 | 543 |
#endif |
544 | 544 |
if (!EVP_CipherInit (ctx, NULL, key, NULL, enc)) |
545 |
- msg (M_SSLERR, "EVP cipher init #2"); |
|
545 |
+ crypto_msg (M_FATAL, "EVP cipher init #2"); |
|
546 | 546 |
|
547 | 547 |
/* make sure we used a big enough key */ |
548 | 548 |
ASSERT (EVP_CIPHER_CTX_key_length (ctx) <= key_len); |
... | ... |
@@ -589,7 +594,9 @@ int |
589 | 589 |
cipher_ctx_update (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, |
590 | 590 |
uint8_t *src, int src_len) |
591 | 591 |
{ |
592 |
- return EVP_CipherUpdate (ctx, dst, dst_len, src, src_len); |
|
592 |
+ if (!EVP_CipherUpdate (ctx, dst, dst_len, src, src_len)) |
|
593 |
+ crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__); |
|
594 |
+ return 1; |
|
593 | 595 |
} |
594 | 596 |
|
595 | 597 |
int |
... | ... |
@@ -624,12 +631,14 @@ md_kt_get (const char *digest) |
624 | 624 |
ASSERT (digest); |
625 | 625 |
md = EVP_get_digestbyname (digest); |
626 | 626 |
if (!md) |
627 |
- msg (M_SSLERR, "Message hash algorithm '%s' not found", digest); |
|
627 |
+ crypto_msg (M_FATAL, "Message hash algorithm '%s' not found", digest); |
|
628 | 628 |
if (EVP_MD_size (md) > MAX_HMAC_KEY_LENGTH) |
629 |
- msg (M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)", |
|
630 |
- digest, |
|
631 |
- EVP_MD_size (md), |
|
632 |
- MAX_HMAC_KEY_LENGTH); |
|
629 |
+ { |
|
630 |
+ crypto_msg (M_FATAL, "Message hash algorithm '%s' uses a default hash " |
|
631 |
+ "size (%d bytes) which is larger than " PACKAGE_NAME "'s current " |
|
632 |
+ "maximum hash size (%d bytes)", |
|
633 |
+ digest, EVP_MD_size (md), MAX_HMAC_KEY_LENGTH); |
|
634 |
+ } |
|
633 | 635 |
return md; |
634 | 636 |
} |
635 | 637 |
|
... | ... |
@@ -43,13 +43,6 @@ |
43 | 43 |
#include "ps.h" |
44 | 44 |
#include "mstats.h" |
45 | 45 |
|
46 |
-#ifdef ENABLE_CRYPTO |
|
47 |
-#ifdef ENABLE_CRYPTO_OPENSSL |
|
48 |
-#include <openssl/err.h> |
|
49 |
-#endif |
|
50 |
-#endif |
|
51 |
- |
|
52 |
-#include "memdbg.h" |
|
53 | 46 |
|
54 | 47 |
#if SYSLOG_CAPABILITY |
55 | 48 |
#ifndef LOG_OPENVPN |
... | ... |
@@ -265,28 +258,6 @@ void x_msg_va (const unsigned int flags, const char *format, va_list arglist) |
265 | 265 |
SWAP; |
266 | 266 |
} |
267 | 267 |
|
268 |
-#ifdef ENABLE_CRYPTO |
|
269 |
-#ifdef ENABLE_CRYPTO_OPENSSL |
|
270 |
- if (flags & M_SSL) |
|
271 |
- { |
|
272 |
- int nerrs = 0; |
|
273 |
- size_t err; |
|
274 |
- while ((err = ERR_get_error ())) |
|
275 |
- { |
|
276 |
- openvpn_snprintf (m2, ERR_BUF_SIZE, "%s: %s", |
|
277 |
- m1, ERR_error_string (err, NULL)); |
|
278 |
- SWAP; |
|
279 |
- ++nerrs; |
|
280 |
- } |
|
281 |
- if (!nerrs) |
|
282 |
- { |
|
283 |
- openvpn_snprintf (m2, ERR_BUF_SIZE, "%s (OpenSSL)", m1); |
|
284 |
- SWAP; |
|
285 |
- } |
|
286 |
- } |
|
287 |
-#endif |
|
288 |
-#endif |
|
289 |
- |
|
290 | 268 |
if (flags & M_OPTERR) |
291 | 269 |
{ |
292 | 270 |
openvpn_snprintf (m2, ERR_BUF_SIZE, "Options error: %s", m1); |
... | ... |
@@ -93,10 +93,6 @@ extern int x_msg_line_num; |
93 | 93 |
|
94 | 94 |
#define M_ERRNO (1<<8) /* show errno description */ |
95 | 95 |
|
96 |
-#ifdef ENABLE_CRYPTO_OPENSSL |
|
97 |
-# define M_SSL (1<<10) /* show SSL error */ |
|
98 |
-#endif |
|
99 |
- |
|
100 | 96 |
#define M_NOMUTE (1<<11) /* don't do mute processing */ |
101 | 97 |
#define M_NOPREFIX (1<<12) /* don't show date/time prefix */ |
102 | 98 |
#define M_USAGE_SMALL (1<<13) /* fatal options error, call usage_small */ |
... | ... |
@@ -107,7 +103,6 @@ extern int x_msg_line_num; |
107 | 107 |
|
108 | 108 |
/* flag combinations which are frequently used */ |
109 | 109 |
#define M_ERR (M_FATAL | M_ERRNO) |
110 |
-#define M_SSLERR (M_FATAL | M_SSL) |
|
111 | 110 |
#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR) |
112 | 111 |
#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX) |
113 | 112 |
|
... | ... |
@@ -104,7 +104,7 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) |
104 | 104 |
ctx->ctx = SSL_CTX_new (SSLv23_server_method ()); |
105 | 105 |
|
106 | 106 |
if (ctx->ctx == NULL) |
107 |
- msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method"); |
|
107 |
+ crypto_msg (M_FATAL, "SSL_CTX_new SSLv23_server_method"); |
|
108 | 108 |
} |
109 | 109 |
|
110 | 110 |
void |
... | ... |
@@ -115,7 +115,7 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) |
115 | 115 |
ctx->ctx = SSL_CTX_new (SSLv23_client_method ()); |
116 | 116 |
|
117 | 117 |
if (ctx->ctx == NULL) |
118 |
- msg (M_SSLERR, "SSL_CTX_new SSLv23_client_method"); |
|
118 |
+ crypto_msg (M_FATAL, "SSL_CTX_new SSLv23_client_method"); |
|
119 | 119 |
} |
120 | 120 |
|
121 | 121 |
void |
... | ... |
@@ -235,7 +235,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
235 | 235 |
{ |
236 | 236 |
/* Use sane default (disable export, and unsupported cipher modes) */ |
237 | 237 |
if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP:!PSK:!SRP")) |
238 |
- msg(M_SSLERR, "Failed to set default TLS cipher list."); |
|
238 |
+ crypto_msg (M_FATAL, "Failed to set default TLS cipher list."); |
|
239 | 239 |
return; |
240 | 240 |
} |
241 | 241 |
|
... | ... |
@@ -287,9 +287,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
287 | 287 |
} |
288 | 288 |
|
289 | 289 |
// Make sure new cipher name fits in cipher string |
290 |
- if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) { |
|
291 |
- msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%d).", (int)sizeof(openssl_ciphers)-1); |
|
292 |
- } |
|
290 |
+ if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) |
|
291 |
+ { |
|
292 |
+ msg (M_FATAL, |
|
293 |
+ "Failed to set restricted TLS cipher list, too long (>%d).", |
|
294 |
+ (int)sizeof(openssl_ciphers)-1); |
|
295 |
+ } |
|
293 | 296 |
|
294 | 297 |
// Concatenate cipher name to OpenSSL cipher string |
295 | 298 |
memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len); |
... | ... |
@@ -305,7 +308,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
305 | 305 |
|
306 | 306 |
// Set OpenSSL cipher list |
307 | 307 |
if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers)) |
308 |
- msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers); |
|
308 |
+ crypto_msg (M_FATAL, "Failed to set restricted TLS cipher list: %s", openssl_ciphers); |
|
309 | 309 |
} |
310 | 310 |
|
311 | 311 |
void |
... | ... |
@@ -321,22 +324,22 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, |
321 | 321 |
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline) |
322 | 322 |
{ |
323 | 323 |
if (!(bio = BIO_new_mem_buf ((char *)dh_file_inline, -1))) |
324 |
- msg (M_SSLERR, "Cannot open memory BIO for inline DH parameters"); |
|
324 |
+ crypto_msg (M_FATAL, "Cannot open memory BIO for inline DH parameters"); |
|
325 | 325 |
} |
326 | 326 |
else |
327 | 327 |
{ |
328 | 328 |
/* Get Diffie Hellman Parameters */ |
329 | 329 |
if (!(bio = BIO_new_file (dh_file, "r"))) |
330 |
- msg (M_SSLERR, "Cannot open %s for DH parameters", dh_file); |
|
330 |
+ crypto_msg (M_FATAL, "Cannot open %s for DH parameters", dh_file); |
|
331 | 331 |
} |
332 | 332 |
|
333 | 333 |
dh = PEM_read_bio_DHparams (bio, NULL, NULL, NULL); |
334 | 334 |
BIO_free (bio); |
335 | 335 |
|
336 | 336 |
if (!dh) |
337 |
- msg (M_SSLERR, "Cannot load DH parameters from %s", dh_file); |
|
337 |
+ crypto_msg (M_FATAL, "Cannot load DH parameters from %s", dh_file); |
|
338 | 338 |
if (!SSL_CTX_set_tmp_dh (ctx->ctx, dh)) |
339 |
- msg (M_SSLERR, "SSL_CTX_set_tmp_dh"); |
|
339 |
+ crypto_msg (M_FATAL, "SSL_CTX_set_tmp_dh"); |
|
340 | 340 |
|
341 | 341 |
msg (D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", |
342 | 342 |
8 * DH_size (dh)); |
... | ... |
@@ -405,7 +408,7 @@ tls_ctx_load_ecdh_params (struct tls_root_ctx *ctx, const char *curve_name |
405 | 405 |
} |
406 | 406 |
|
407 | 407 |
if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh)) |
408 |
- msg (M_SSLERR, "SSL_CTX_set_tmp_ecdh: cannot add curve"); |
|
408 |
+ crypto_msg (M_FATAL, "SSL_CTX_set_tmp_ecdh: cannot add curve"); |
|
409 | 409 |
|
410 | 410 |
msg (D_TLS_DEBUG_LOW, "ECDH curve %s added", sname); |
411 | 411 |
|
... | ... |
@@ -441,7 +444,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, |
441 | 441 |
BIO_push(b64, bio); |
442 | 442 |
p12 = d2i_PKCS12_bio(b64, NULL); |
443 | 443 |
if (!p12) |
444 |
- msg(M_SSLERR, "Error reading inline PKCS#12 file"); |
|
444 |
+ crypto_msg (M_FATAL, "Error reading inline PKCS#12 file"); |
|
445 | 445 |
BIO_free(b64); |
446 | 446 |
BIO_free(bio); |
447 | 447 |
} |
... | ... |
@@ -449,11 +452,11 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, |
449 | 449 |
{ |
450 | 450 |
/* Load the PKCS #12 file */ |
451 | 451 |
if (!(fp = platform_fopen(pkcs12_file, "rb"))) |
452 |
- msg(M_SSLERR, "Error opening file %s", pkcs12_file); |
|
452 |
+ crypto_msg (M_FATAL, "Error opening file %s", pkcs12_file); |
|
453 | 453 |
p12 = d2i_PKCS12_fp(fp, NULL); |
454 | 454 |
fclose(fp); |
455 | 455 |
if (!p12) |
456 |
- msg(M_SSLERR, "Error reading PKCS#12 file %s", pkcs12_file); |
|
456 |
+ crypto_msg (M_FATAL, "Error reading PKCS#12 file %s", pkcs12_file); |
|
457 | 457 |
} |
458 | 458 |
|
459 | 459 |
/* Parse the PKCS #12 file */ |
... | ... |
@@ -476,16 +479,16 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, |
476 | 476 |
|
477 | 477 |
/* Load Certificate */ |
478 | 478 |
if (!SSL_CTX_use_certificate (ctx->ctx, cert)) |
479 |
- msg (M_SSLERR, "Cannot use certificate"); |
|
479 |
+ crypto_msg (M_FATAL, "Cannot use certificate"); |
|
480 | 480 |
|
481 | 481 |
/* Load Private Key */ |
482 | 482 |
if (!SSL_CTX_use_PrivateKey (ctx->ctx, pkey)) |
483 |
- msg (M_SSLERR, "Cannot use private key"); |
|
483 |
+ crypto_msg (M_FATAL, "Cannot use private key"); |
|
484 | 484 |
warn_if_group_others_accessible (pkcs12_file); |
485 | 485 |
|
486 | 486 |
/* Check Private Key */ |
487 | 487 |
if (!SSL_CTX_check_private_key (ctx->ctx)) |
488 |
- msg (M_SSLERR, "Private key does not match the certificate"); |
|
488 |
+ crypto_msg (M_FATAL, "Private key does not match the certificate"); |
|
489 | 489 |
|
490 | 490 |
/* Set Certificate Verification chain */ |
491 | 491 |
if (load_ca_file) |
... | ... |
@@ -499,9 +502,9 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, |
499 | 499 |
for (i = 0; i < sk_X509_num(ca); i++) |
500 | 500 |
{ |
501 | 501 |
if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i))) |
502 |
- msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); |
|
502 |
+ crypto_msg (M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)"); |
|
503 | 503 |
if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i))) |
504 |
- msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); |
|
504 |
+ crypto_msg (M_FATAL,"Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); |
|
505 | 505 |
} |
506 | 506 |
} |
507 | 507 |
} else { |
... | ... |
@@ -515,7 +518,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, |
515 | 515 |
for (i = 0; i < sk_X509_num(ca); i++) |
516 | 516 |
{ |
517 | 517 |
if (!SSL_CTX_add_extra_chain_cert(ctx->ctx,sk_X509_value(ca, i))) |
518 |
- msg (M_SSLERR, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)"); |
|
518 |
+ crypto_msg (M_FATAL, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)"); |
|
519 | 519 |
} |
520 | 520 |
} |
521 | 521 |
} |
... | ... |
@@ -530,8 +533,7 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) |
530 | 530 |
|
531 | 531 |
/* Load Certificate and Private Key */ |
532 | 532 |
if (!SSL_CTX_use_CryptoAPI_certificate (ctx->ctx, cryptoapi_cert)) |
533 |
- msg (M_SSLERR, "Cannot load certificate \"%s\" from Microsoft Certificate Store", |
|
534 |
- cryptoapi_cert); |
|
533 |
+ crypto_msg (M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert); |
|
535 | 534 |
} |
536 | 535 |
#endif /* WIN32 */ |
537 | 536 |
|
... | ... |
@@ -545,9 +547,9 @@ tls_ctx_add_extra_certs (struct tls_root_ctx *ctx, BIO *bio) |
545 | 545 |
if (!PEM_read_bio_X509 (bio, &cert, 0, NULL)) /* takes ownership of cert */ |
546 | 546 |
break; |
547 | 547 |
if (!cert) |
548 |
- msg (M_SSLERR, "Error reading extra certificate"); |
|
548 |
+ crypto_msg (M_FATAL, "Error reading extra certificate"); |
|
549 | 549 |
if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1) |
550 |
- msg (M_SSLERR, "Error adding extra certificate"); |
|
550 |
+ crypto_msg (M_FATAL, "Error adding extra certificate"); |
|
551 | 551 |
} |
552 | 552 |
} |
553 | 553 |
|
... | ... |
@@ -595,9 +597,9 @@ end: |
595 | 595 |
if (!ret) |
596 | 596 |
{ |
597 | 597 |
if (inline_file) |
598 |
- msg (M_SSLERR, "Cannot load inline certificate file"); |
|
598 |
+ crypto_msg (M_FATAL, "Cannot load inline certificate file"); |
|
599 | 599 |
else |
600 |
- msg (M_SSLERR, "Cannot load certificate file %s", cert_file); |
|
600 |
+ crypto_msg (M_FATAL, "Cannot load certificate file %s", cert_file); |
|
601 | 601 |
} |
602 | 602 |
|
603 | 603 |
if (in != NULL) |
... | ... |
@@ -655,14 +657,14 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, |
655 | 655 |
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT)) |
656 | 656 |
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL); |
657 | 657 |
#endif |
658 |
- msg (M_WARN|M_SSL, "Cannot load private key file %s", priv_key_file); |
|
658 |
+ crypto_msg (M_WARN, "Cannot load private key file %s", priv_key_file); |
|
659 | 659 |
goto end; |
660 | 660 |
} |
661 | 661 |
warn_if_group_others_accessible (priv_key_file); |
662 | 662 |
|
663 | 663 |
/* Check Private Key */ |
664 | 664 |
if (!SSL_CTX_check_private_key (ssl_ctx)) |
665 |
- msg (M_SSLERR, "Private key does not match the certificate"); |
|
665 |
+ crypto_msg (M_FATAL, "Private key does not match the certificate"); |
|
666 | 666 |
ret = 0; |
667 | 667 |
|
668 | 668 |
end: |
... | ... |
@@ -813,7 +815,7 @@ tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, |
813 | 813 |
if (rsa_meth) |
814 | 814 |
free(rsa_meth); |
815 | 815 |
} |
816 |
- msg (M_SSLERR, "Cannot enable SSL external private key capability"); |
|
816 |
+ crypto_msg (M_FATAL, "Cannot enable SSL external private key capability"); |
|
817 | 817 |
return 0; |
818 | 818 |
} |
819 | 819 |
|
... | ... |
@@ -843,7 +845,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
843 | 843 |
|
844 | 844 |
store = SSL_CTX_get_cert_store(ctx->ctx); |
845 | 845 |
if (!store) |
846 |
- msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)"); |
|
846 |
+ crypto_msg (M_FATAL, "Cannot get certificate store"); |
|
847 | 847 |
|
848 | 848 |
/* Try to add certificates and CRLs from ca_file */ |
849 | 849 |
if (ca_file) |
... | ... |
@@ -866,7 +868,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
866 | 866 |
|
867 | 867 |
if (tls_server && !info->x509) |
868 | 868 |
{ |
869 |
- msg (M_SSLERR, "X509 name was missing in TLS mode"); |
|
869 |
+ crypto_msg (M_FATAL, "X509 name was missing in TLS mode"); |
|
870 | 870 |
} |
871 | 871 |
|
872 | 872 |
if (info->x509) |
... | ... |
@@ -901,9 +903,12 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
901 | 901 |
|
902 | 902 |
if (tls_server) { |
903 | 903 |
int cnum = sk_X509_NAME_num (cert_names); |
904 |
- if (cnum != (prev + 1)) { |
|
905 |
- msg (M_WARN, "Cannot load CA certificate file %s (entry %d did not validate)", np(ca_file), added); |
|
906 |
- } |
|
904 |
+ if (cnum != (prev + 1)) |
|
905 |
+ { |
|
906 |
+ crypto_msg (M_WARN, |
|
907 |
+ "Cannot load CA certificate file %s (entry %d did not validate)", |
|
908 |
+ np(ca_file), added); |
|
909 |
+ } |
|
907 | 910 |
prev = cnum; |
908 | 911 |
} |
909 | 912 |
|
... | ... |
@@ -915,12 +920,20 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
915 | 915 |
SSL_CTX_set_client_CA_list (ctx->ctx, cert_names); |
916 | 916 |
|
917 | 917 |
if (!added) |
918 |
- msg (M_SSLERR, "Cannot load CA certificate file %s (no entries were read)", np(ca_file)); |
|
918 |
+ { |
|
919 |
+ crypto_msg (M_FATAL, |
|
920 |
+ "Cannot load CA certificate file %s (no entries were read)", |
|
921 |
+ np(ca_file)); |
|
922 |
+ } |
|
919 | 923 |
|
920 | 924 |
if (tls_server) { |
921 | 925 |
int cnum = sk_X509_NAME_num (cert_names); |
922 | 926 |
if (cnum != added) |
923 |
- msg (M_SSLERR, "Cannot load CA certificate file %s (only %d of %d entries were valid X509 names)", np(ca_file), cnum, added); |
|
927 |
+ { |
|
928 |
+ crypto_msg (M_FATAL, "Cannot load CA certificate file %s (only %d " |
|
929 |
+ "of %d entries were valid X509 names)", |
|
930 |
+ np(ca_file), cnum, added); |
|
931 |
+ } |
|
924 | 932 |
} |
925 | 933 |
|
926 | 934 |
if (in) |
... | ... |
@@ -934,7 +947,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
934 | 934 |
if (lookup && X509_LOOKUP_add_dir (lookup, ca_path, X509_FILETYPE_PEM)) |
935 | 935 |
msg(M_WARN, "WARNING: experimental option --capath %s", ca_path); |
936 | 936 |
else |
937 |
- msg(M_SSLERR, "Cannot add lookup at --capath %s", ca_path); |
|
937 |
+ crypto_msg (M_FATAL, "Cannot add lookup at --capath %s", ca_path); |
|
938 | 938 |
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); |
939 | 939 |
} |
940 | 940 |
} |
... | ... |
@@ -951,7 +964,7 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file |
951 | 951 |
in = BIO_new_file (extra_certs_file, "r"); |
952 | 952 |
|
953 | 953 |
if (in == NULL) |
954 |
- msg (M_SSLERR, "Cannot load extra-certs file: %s", extra_certs_file); |
|
954 |
+ crypto_msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); |
|
955 | 955 |
else |
956 | 956 |
tls_ctx_add_extra_certs (ctx, in); |
957 | 957 |
|
... | ... |
@@ -1043,7 +1056,7 @@ getbio (BIO_METHOD * type, const char *desc) |
1043 | 1043 |
BIO *ret; |
1044 | 1044 |
ret = BIO_new (type); |
1045 | 1045 |
if (!ret) |
1046 |
- msg (M_SSLERR, "Error creating %s BIO", desc); |
|
1046 |
+ crypto_msg (M_FATAL, "Error creating %s BIO", desc); |
|
1047 | 1047 |
return ret; |
1048 | 1048 |
} |
1049 | 1049 |
|
... | ... |
@@ -1077,16 +1090,15 @@ bio_write (BIO *bio, const uint8_t *data, int size, const char *desc) |
1077 | 1077 |
} |
1078 | 1078 |
else |
1079 | 1079 |
{ |
1080 |
- msg (D_TLS_ERRORS | M_SSL, "TLS ERROR: BIO write %s error", |
|
1081 |
- desc); |
|
1080 |
+ crypto_msg (D_TLS_ERRORS, "TLS ERROR: BIO write %s error", desc); |
|
1082 | 1081 |
ret = -1; |
1083 | 1082 |
ERR_clear_error (); |
1084 | 1083 |
} |
1085 | 1084 |
} |
1086 | 1085 |
else if (i != size) |
1087 | 1086 |
{ |
1088 |
- msg (D_TLS_ERRORS | M_SSL, |
|
1089 |
- "TLS ERROR: BIO write %s incomplete %d/%d", desc, i, size); |
|
1087 |
+ crypto_msg (D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d", |
|
1088 |
+ desc, i, size); |
|
1090 | 1089 |
ret = -1; |
1091 | 1090 |
ERR_clear_error (); |
1092 | 1091 |
} |
... | ... |
@@ -1152,8 +1164,7 @@ bio_read (BIO *bio, struct buffer *buf, int maxlen, const char *desc) |
1152 | 1152 |
} |
1153 | 1153 |
else |
1154 | 1154 |
{ |
1155 |
- msg (D_TLS_ERRORS | M_SSL, "TLS_ERROR: BIO read %s error", |
|
1156 |
- desc); |
|
1155 |
+ crypto_msg (D_TLS_ERRORS, "TLS_ERROR: BIO read %s error", desc); |
|
1157 | 1156 |
buf->len = 0; |
1158 | 1157 |
ret = -1; |
1159 | 1158 |
ERR_clear_error (); |
... | ... |
@@ -1183,7 +1194,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ |
1183 | 1183 |
|
1184 | 1184 |
ks_ssl->ssl = SSL_new (ssl_ctx->ctx); |
1185 | 1185 |
if (!ks_ssl->ssl) |
1186 |
- msg (M_SSLERR, "SSL_new failed"); |
|
1186 |
+ crypto_msg (M_FATAL, "SSL_new failed"); |
|
1187 | 1187 |
|
1188 | 1188 |
/* put session * in ssl object so we can access it |
1189 | 1189 |
from verify callback*/ |
... | ... |
@@ -1358,11 +1369,11 @@ show_available_tls_ciphers (const char *cipher_list) |
1358 | 1358 |
|
1359 | 1359 |
tls_ctx.ctx = SSL_CTX_new (SSLv23_method ()); |
1360 | 1360 |
if (!tls_ctx.ctx) |
1361 |
- msg (M_SSLERR, "Cannot create SSL_CTX object"); |
|
1361 |
+ crypto_msg (M_FATAL, "Cannot create SSL_CTX object"); |
|
1362 | 1362 |
|
1363 | 1363 |
ssl = SSL_new (tls_ctx.ctx); |
1364 | 1364 |
if (!ssl) |
1365 |
- msg (M_SSLERR, "Cannot create SSL object"); |
|
1365 |
+ crypto_msg (M_FATAL, "Cannot create SSL object"); |
|
1366 | 1366 |
|
1367 | 1367 |
tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); |
1368 | 1368 |
|
... | ... |
@@ -1403,7 +1414,7 @@ show_available_curves() |
1403 | 1403 |
curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len)); |
1404 | 1404 |
|
1405 | 1405 |
if (curves == NULL) |
1406 |
- msg (M_SSLERR, "Cannot create EC_builtin_curve object"); |
|
1406 |
+ crypto_msg (M_FATAL, "Cannot create EC_builtin_curve object"); |
|
1407 | 1407 |
else |
1408 | 1408 |
{ |
1409 | 1409 |
if (EC_get_builtin_curves(curves, crv_len)) |
... | ... |
@@ -1420,7 +1431,7 @@ show_available_curves() |
1420 | 1420 |
} |
1421 | 1421 |
else |
1422 | 1422 |
{ |
1423 |
- msg (M_SSLERR, "Cannot get list of builtin curves"); |
|
1423 |
+ crypto_msg (M_FATAL, "Cannot get list of builtin curves"); |
|
1424 | 1424 |
} |
1425 | 1425 |
OPENSSL_free(curves); |
1426 | 1426 |
} |
... | ... |
@@ -1439,10 +1450,10 @@ get_highest_preference_tls_cipher (char *buf, int size) |
1439 | 1439 |
|
1440 | 1440 |
ctx = SSL_CTX_new (SSLv23_method ()); |
1441 | 1441 |
if (!ctx) |
1442 |
- msg (M_SSLERR, "Cannot create SSL_CTX object"); |
|
1442 |
+ crypto_msg (M_FATAL, "Cannot create SSL_CTX object"); |
|
1443 | 1443 |
ssl = SSL_new (ctx); |
1444 | 1444 |
if (!ssl) |
1445 |
- msg (M_SSLERR, "Cannot create SSL object"); |
|
1445 |
+ crypto_msg (M_FATAL, "Cannot create SSL object"); |
|
1446 | 1446 |
|
1447 | 1447 |
cipher_name = SSL_get_cipher_list (ssl, 0); |
1448 | 1448 |
strncpynt (buf, cipher_name, size); |