Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/plugins/preauth/pkinit/pkinit_trace.h
34923 views
1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

2
/* plugins/preauth/pkinit/pkinit_trace.h - PKINIT tracing macros */

3
/*

4
 * Copyright (C) 2012 by the Massachusetts Institute of Technology.

5
 * All rights reserved.

6
 *

7
 * Redistribution and use in source and binary forms, with or without

8
 * modification, are permitted provided that the following conditions

9
 * are met:

10
 *

11
 * * Redistributions of source code must retain the above copyright

12
 *   notice, this list of conditions and the following disclaimer.

13
 *

14
 * * Redistributions in binary form must reproduce the above copyright

15
 *   notice, this list of conditions and the following disclaimer in

16
 *   the documentation and/or other materials provided with the

17
 *   distribution.

18
 *

19
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

20
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

21
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

22
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

23
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

24
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

25
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

26
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

27
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

28
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

29
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

30
 * OF THE POSSIBILITY OF SUCH DAMAGE.

31
 */

32


33
#ifndef PKINIT_TRACE_H

34
#define PKINIT_TRACE_H

35


36
#include "k5-trace.h"

37


38
#define TRACE_PKINIT_CLIENT_EKU_ACCEPT(c)                       \

39
    TRACE(c, "PKINIT client found acceptable EKU in KDC cert")

40
#define TRACE_PKINIT_CLIENT_EKU_REJECT(c)                               \

41
    TRACE(c, "PKINIT client found no acceptable EKU in KDC cert")

42
#define TRACE_PKINIT_CLIENT_EKU_SKIP(c)                                 \

43
    TRACE(c, "PKINIT client skipping EKU check due to configuration")

44
#define TRACE_PKINIT_CLIENT_FRESHNESS_TOKEN(c)                  \

45
    TRACE(c, "PKINIT client received freshness token from KDC")

46
#define TRACE_PKINIT_CLIENT_NO_IDENTITY(c)                              \

47
    TRACE(c, "PKINIT client has no configured identity; giving up")

48
#define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received)    \

49
    TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, "      \

50
          "received {cksum}", expected, received)

51
#define TRACE_PKINIT_CLIENT_REP_DH(c)           \

52
    TRACE(c, "PKINIT client verified DH reply")

53
#define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c)              \

54
    TRACE(c, "PKINIT client could not verify DH reply")

55
#define TRACE_PKINIT_CLIENT_REQ_CHECKSUMS(c, ck1, ck2)                  \

56
    TRACE(c, "PKINIT client computed checksums: {hexdata} {hexdata}",   \

57
          ck1, &(ck2)->checksum)

58
#define TRACE_PKINIT_CLIENT_REQ_DH(c)                           \

59
    TRACE(c, "PKINIT client making DH request")

60
#define TRACE_PKINIT_CLIENT_SAN_CONFIG_DNSNAME(c, host)                 \

61
    TRACE(c, "PKINIT client config accepts KDC dNSName SAN {str}", host)

62
#define TRACE_PKINIT_CLIENT_SAN_MATCH_DNSNAME(c, host)                  \

63
    TRACE(c, "PKINIT client matched KDC hostname {str} against "     \

64
          "dNSName SAN; EKU check still required", host)

65
#define TRACE_PKINIT_CLIENT_SAN_MATCH_NONE(c)                           \

66
    TRACE(c, "PKINIT client found no acceptable SAN in KDC cert")

67
#define TRACE_PKINIT_CLIENT_SAN_MATCH_PRINC(c, princ)                   \

68
    TRACE(c, "PKINIT client matched KDC principal {princ} against "     \

69
          "id-pkinit-san; no EKU check required", princ)

70
#define TRACE_PKINIT_CLIENT_SAN_ERR(c)                          \

71
    TRACE(c, "PKINIT client failed to decode SANs in KDC cert")

72
#define TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(c, host)                \

73
    TRACE(c, "PKINIT client found dNSName SAN in KDC cert: {str}", host)

74
#define TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(c, princ)                 \

75
    TRACE(c, "PKINIT client found id-pkinit-san in KDC cert: {princ}", princ)

76
#define TRACE_PKINIT_CLIENT_TRYAGAIN(c)                                 \

77
    TRACE(c, "PKINIT client trying again with KDC-provided parameters")

78


79
#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name)                      \

80
    TRACE(c, "PKINIT key exchange group {str} unsupported", name)

81
#define TRACE_PKINIT_DH_INVALID_MIN_BITS(c, str)                        \

82
    TRACE(c, "Invalid pkinit_dh_min_bits value {str}, using default", str)

83
#define TRACE_PKINIT_DH_NEGOTIATED_GROUP(c, desc)                       \

84
    TRACE(c, "PKINIT accepting KDC key exchange group preference {str}", desc)

85
#define TRACE_PKINIT_DH_PROPOSING_GROUP(c, desc)                \

86
    TRACE(c, "PKINIT using {str} key exchange group", desc)

87
#define TRACE_PKINIT_DH_RECEIVED_GROUP(c, desc)                         \

88
    TRACE(c, "PKINIT received {str} key from client for key exchange", desc)

89
#define TRACE_PKINIT_DH_REJECTING_GROUP(c, desc, mindesc)               \

90
    TRACE(c, "PKINIT client key has group {str}, need at least {str}",  \

91
          desc, mindesc)

92


93
#define TRACE_PKINIT_KDF_ALG(c, kdf, keyblock)                          \

94
    TRACE(c, "PKINIT used KDF {hexdata} to compute reply key {keyblock}", \

95
          kdf, keyblock)

96
#define TRACE_PKINIT_KDF_OS2K(c, keyblock)                              \

97
    TRACE(c, "PKINIT used octetstring2key to compute reply key {keyblock}", \

98
          keyblock)

99


100
#define TRACE_PKINIT_OPENSSL_ERROR(c, msg)              \

101
    TRACE(c, "PKINIT OpenSSL error: {str}", msg)

102


103
#define TRACE_PKINIT_PKCS11_NO_MATCH_TOKEN(c)                   \

104
    TRACE(c, "PKINIT PKCS#11 module has no matching tokens")

105
#define TRACE_PKINIT_PKCS11_NO_TOKEN(c)                                 \

106
    TRACE(c, "PKINIT PKCS#11 module shows no slots with tokens")

107
#define TRACE_PKINIT_PKCS11_OPEN(c, name)                       \

108
    TRACE(c, "PKINIT opening PKCS#11 module \"{str}\"", name)

109
#define TRACE_PKINIT_PKCS11_SLOT(c, slot, len, label)            \

110
    TRACE(c, "PKINIT PKCS#11 slotid {int} token {lenstr}",       \

111
          slot, len, label)

112


113
#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname)                       \

114
    TRACE(c, "PKINIT server authorizing cert with module {str}",        \

115
          modname)

116
#define TRACE_PKINIT_SERVER_EKU_REJECT(c)                               \

117
    TRACE(c, "PKINIT server found no acceptable EKU in client cert")

118
#define TRACE_PKINIT_SERVER_EKU_SKIP(c)                                 \

119
    TRACE(c, "PKINIT server skipping EKU check due to configuration")

120
#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm)                \

121
    TRACE(c, "PKINIT server initializing realm {str}", realm)

122
#define TRACE_PKINIT_SERVER_INIT_FAIL(c, realm, retval)                 \

123
    TRACE(c, "PKINIT server initialization failed for realm {str}: {kerr}", \

124
          realm, retval)

125
#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c)                       \

126
    TRACE(c, "PKINIT server found a matching UPN SAN in client cert")

127
#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c)                       \

128
    TRACE(c, "PKINIT server found a matching SAN in client cert")

129
#define TRACE_PKINIT_SERVER_NO_SAN(c)                           \

130
    TRACE(c, "PKINIT server found no SAN in client cert")

131
#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c)                    \

132
    TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ")

133
#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c)       \

134
    TRACE(c, "PKINIT server failed to verify PA data")

135
#define TRACE_PKINIT_SERVER_RETURN_PADATA(c)    \

136
    TRACE(c, "PKINIT server returning PA data")

137
#define TRACE_PKINIT_SERVER_SAN_REJECT(c)                               \

138
    TRACE(c, "PKINIT server found no acceptable SAN in client cert")

139
#define TRACE_PKINIT_SERVER_UPN_PARSE_FAIL(c, upn, ret)                 \

140
    TRACE(c, "PKINIT server could not parse UPN \"{str}\": {kerr}",     \

141
          upn, ret)

142


143
#define TRACE_PKINIT_CERT_CHAIN_NAME(c, index, name)    \

144
    TRACE(c, "PKINIT chain cert #{int}: {str}", index, name)

145
#define TRACE_PKINIT_CERT_NUM_MATCHING(c, total, nummatch)              \

146
    TRACE(c, "PKINIT client checked {int} certs, found {int} matches",  \

147
          total, nummatch)

148
#define TRACE_PKINIT_CERT_RULE(c, rule)                                 \

149
    TRACE(c, "PKINIT client matching rule '{str}' against certificates", rule)

150
#define TRACE_PKINIT_CERT_RULE_INVALID(c, rule)                         \

151
    TRACE(c, "PKINIT client ignoring invalid rule '{str}'", rule)

152


153
#define TRACE_PKINIT_EKU(c)                                             \

154
    TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU")

155
#define TRACE_PKINIT_EKU_NO_KU(c)                                       \

156
    TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU")

157
#define TRACE_PKINIT_IDENTITY_OPTION(c, name)           \

158
    TRACE(c, "PKINIT loading identity {str}", name)

159
#define TRACE_PKINIT_LOADED_CERT(c, name)                       \

160
    TRACE(c, "PKINIT loaded cert and key for {str}", name)

161
#define TRACE_PKINIT_LOAD_FROM_FILE(c, name)                            \

162
    TRACE(c, "PKINIT loading CA certs and CRLs from FILE {str}", name)

163
#define TRACE_PKINIT_LOAD_FROM_DIR(c, name)                             \

164
    TRACE(c, "PKINIT loading CA certs and CRLs from DIR {str}", name)

165
#define TRACE_PKINIT_NO_CA_ANCHOR(c, file)              \

166
    TRACE(c, "PKINIT no anchor CA in file {str}", file)

167
#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file)                \

168
    TRACE(c, "PKINIT no intermediate CA in file {str}", file)

169
#define TRACE_PKINIT_NO_CERT(c)                 \

170
    TRACE(c, "PKINIT no certificate provided")

171
#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname)                        \

172
    TRACE(c, "PKINIT no cert and key pair found in directory {str}",    \

173
          dirname)

174
#define TRACE_PKINIT_NO_CRL(c, file)                    \

175
    TRACE(c, "PKINIT no CRL in file {str}", file)

176
#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count)                          \

177
    TRACE(c, "PKINIT error: There are {int} certs, but there must "     \

178
          "be exactly one.", count)

179
#define TRACE_PKINIT_NO_MATCHING_CERT(c)                \

180
    TRACE(c, "PKINIT no matching certificate found")

181
#define TRACE_PKINIT_NO_PRIVKEY(c)              \

182
    TRACE(c, "PKINIT no private key provided")

183
#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name)                          \

184
    TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name)

185
#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err)                       \

186
    TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}",    \

187
          name, err)

188
#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c)                           \

189
    TRACE(c, "PKINIT initial PKCS12_parse with no password failed")

190
#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c)                          \

191
    TRACE(c, "PKINIT second PKCS12_parse with password failed")

192
#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c)                        \

193
    TRACE(c, "PKINIT failed to prompt for PKCS12 password")

194
#define TRACE_PKINIT_REGEXP_MATCH(c, keyword, comp, value, idx)         \

195
    TRACE(c, "PKINIT matched {str} rule '{str}' with "                  \

196
          "value '{str}' in cert #{int}", keyword, comp, value, (idx) + 1)

197
#define TRACE_PKINIT_REGEXP_NOMATCH(c, keyword, comp, value, idx)       \

198
    TRACE(c, "PKINIT didn't match {str} rule '{str}' with "             \

199
          "value '{str}' in cert #{int}", keyword, comp, value, (idx) + 1)

200
#define TRACE_PKINIT_SAN_CERT_COUNT(c, count, princ, upns, dns, cert)   \

201
    TRACE(c, "PKINIT client found {int} SANs ({int} princs, {int} "     \

202
          "UPNs, {int} DNS names) in certificate {str}", count, princ,   \

203
          upns, dns, cert)

204
#define TRACE_PKINIT_SAN_CERT_NONE(c, cert)                             \

205
    TRACE(c, "PKINIT client found no SANs in certificate {str}", cert)

206


207
#define TRACE_CERTAUTH_VTINIT_FAIL(c, ret)                              \

208
    TRACE(c, "certauth module failed to init vtable: {kerr}", ret)

209
#define TRACE_CERTAUTH_INIT_FAIL(c, name, ret)                          \

210
    TRACE(c, "certauth module {str} failed to init: {kerr}", name, ret)

211


212
#endif /* PKINIT_TRACE_H */

213


214