diff options
author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2020-03-09 16:45:16 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-03-17 21:08:34 +0000 |
commit | ff6ade2e2316f7300306c0047a2188177b387610 (patch) | |
tree | 67b0f54dd39fb242bdc5635a3c82535397749fe4 /src/mongo/util | |
parent | fd0f5b4d7084a1b61672fb17edf693fedd27b90f (diff) | |
download | mongo-ff6ade2e2316f7300306c0047a2188177b387610.tar.gz |
SERVER-46526 Review and Convert LogV2 statements in TLS
Diffstat (limited to 'src/mongo/util')
-rw-r--r-- | src/mongo/util/net/openssl_init.cpp | 10 | ||||
-rw-r--r-- | src/mongo/util/net/private/ssl_expiration.cpp | 17 | ||||
-rw-r--r-- | src/mongo/util/net/sock.cpp | 50 | ||||
-rw-r--r-- | src/mongo/util/net/sockaddr.cpp | 2 | ||||
-rw-r--r-- | src/mongo/util/net/socket_utils.cpp | 12 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 24 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 14 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 115 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 33 |
9 files changed, 151 insertions, 126 deletions
diff --git a/src/mongo/util/net/openssl_init.cpp b/src/mongo/util/net/openssl_init.cpp index 4f632e6da46..d7a94e07767 100644 --- a/src/mongo/util/net/openssl_init.cpp +++ b/src/mongo/util/net/openssl_init.cpp @@ -152,11 +152,11 @@ void setupFIPS() { #if defined(MONGO_CONFIG_HAVE_FIPS_MODE_SET) int status = FIPS_mode_set(1); if (!status) { - LOGV2_FATAL( - 23173, - "can't activate FIPS mode: {SSLManagerInterface_getSSLErrorMessage_ERR_get_error}", - "SSLManagerInterface_getSSLErrorMessage_ERR_get_error"_attr = - SSLManagerInterface::getSSLErrorMessage(ERR_get_error())); + LOGV2_FATAL(23173, + "can't activate FIPS mode: {sslManagerError}", + "can't activate FIPS mode", + "sslManagerError"_attr = + SSLManagerInterface::getSSLErrorMessage(ERR_get_error())); fassertFailedNoTrace(16703); } LOGV2(23172, "FIPS 140-2 mode activated"); diff --git a/src/mongo/util/net/private/ssl_expiration.cpp b/src/mongo/util/net/private/ssl_expiration.cpp index f43b4e9411a..5f37d67d2f1 100644 --- a/src/mongo/util/net/private/ssl_expiration.cpp +++ b/src/mongo/util/net/private/ssl_expiration.cpp @@ -58,10 +58,9 @@ void CertificateExpirationMonitor::taskDoWork() { if (_certExpiration <= now) { // The certificate has expired. - LOGV2_WARNING( - 23785, - "Server certificate is now invalid. It expired on {dateToISOStringUTC_certExpiration}", - "dateToISOStringUTC_certExpiration"_attr = dateToISOStringUTC(_certExpiration)); + LOGV2_WARNING(23785, + "Server certificate is now invalid. It expired on {certExpiration}", + "certExpiration"_attr = dateToISOStringUTC(_certExpiration)); return; } @@ -70,12 +69,10 @@ void CertificateExpirationMonitor::taskDoWork() { if (remainingValidDuration <= 30 * oneDay) { // The certificate will expire in the next 30 days. LOGV2_WARNING(23786, - "Server certificate will expire on {dateToISOStringUTC_certExpiration} in " - "{durationCount_Hours_remainingValidDuration_24} days.", - "dateToISOStringUTC_certExpiration"_attr = - dateToISOStringUTC(_certExpiration), - "durationCount_Hours_remainingValidDuration_24"_attr = - durationCount<Hours>(remainingValidDuration) / 24); + "Server certificate will expire on {certExpiration} in " + "{validDuration}.", + "certExpiration"_attr = dateToISOStringUTC(_certExpiration), + "validDuration"_attr = durationCount<Hours>(remainingValidDuration) / 24); } } diff --git a/src/mongo/util/net/sock.cpp b/src/mongo/util/net/sock.cpp index 66478637344..eedfc13fdda 100644 --- a/src/mongo/util/net/sock.cpp +++ b/src/mongo/util/net/sock.cpp @@ -103,12 +103,12 @@ void networkWarnWithDescription(const Socket& socket, StringData call, int error #endif auto ewd = errnoWithDescription(errorCode); LOGV2_WARNING(23190, - "Failed to connect to {socket_remoteAddr_getAddr}:{socket_remoteAddr_getPort}, " - "in({call}), reason: {ewd}", - "socket_remoteAddr_getAddr"_attr = socket.remoteAddr().getAddr(), - "socket_remoteAddr_getPort"_attr = socket.remoteAddr().getPort(), + "Failed to connect to {remoteSocketAddress}:{remoteSocketAddressPort}, " + "in({call}), reason: {error}", + "remoteSocketAddress"_attr = socket.remoteAddr().getAddr(), + "remoteSocketAddressPort"_attr = socket.remoteAddr().getPort(), "call"_attr = call, - "ewd"_attr = ewd); + "error"_attr = ewd); } const double kMaxConnectTimeoutMS = 5000; @@ -121,16 +121,14 @@ void setSockTimeouts(int sock, double secs) { setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, reinterpret_cast<char*>(&timeout), sizeof(DWORD)); if (report && (status == SOCKET_ERROR)) LOGV2(23177, - "unable to set SO_RCVTIMEO: {errnoWithDescription_WSAGetLastError}", - "errnoWithDescription_WSAGetLastError"_attr = - errnoWithDescription(WSAGetLastError())); + "unable to set SO_RCVTIMEO: {wsaError}", + "wsaError"_attr = errnoWithDescription(WSAGetLastError())); status = setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, reinterpret_cast<char*>(&timeout), sizeof(DWORD)); if (kDebugBuild && report && (status == SOCKET_ERROR)) LOGV2(23178, - "unable to set SO_SNDTIMEO: {errnoWithDescription_WSAGetLastError}", - "errnoWithDescription_WSAGetLastError"_attr = - errnoWithDescription(WSAGetLastError())); + "unable to set SO_SNDTIMEO: {wsaError}", + "wsaError"_attr = errnoWithDescription(WSAGetLastError())); #else struct timeval tv; tv.tv_sec = (int)secs; @@ -156,14 +154,16 @@ void disableNagle(int sock) { if (setsockopt(sock, level, TCP_NODELAY, (char*)&x, sizeof(x))) LOGV2_ERROR(23195, - "disableNagle failed: {errnoWithDescription}", - "errnoWithDescription"_attr = errnoWithDescription()); + "disableNagle failed: {error}", + "disableNagle failed", + "error"_attr = errnoWithDescription()); #ifdef SO_KEEPALIVE if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (char*)&x, sizeof(x))) LOGV2_ERROR(23196, - "SO_KEEPALIVE failed: {errnoWithDescription}", - "errnoWithDescription"_attr = errnoWithDescription()); + "SO_KEEPALIVE failed: {error}", + "SO_KEEPALIVE failed", + "error"_attr = errnoWithDescription()); #endif setSocketKeepAliveParams(sock); @@ -183,10 +183,10 @@ SockAddr getLocalAddrForBoundSocketFd(int fd) { if (rc != 0) { LOGV2_WARNING(23191, "Could not resolve local address for socket with fd {fd}: " - "{getAddrInfoStrError_socketGetLastError}", + "{socketError}", + "Could not resolve local address for socket", "fd"_attr = fd, - "getAddrInfoStrError_socketGetLastError"_attr = - getAddrInfoStrError(socketGetLastError())); + "socketError"_attr = getAddrInfoStrError(socketGetLastError())); result = SockAddr(); } return result; @@ -357,10 +357,10 @@ bool Socket::connect(SockAddr& remote, Milliseconds connectTimeoutMillis) { // No activity for the full duration of the timeout. if (pollReturn == 0) { LOGV2_WARNING(23192, - "Failed to connect to {remote_getAddr}:{remote_getPort} after " + "Failed to connect to {remoteAddr}:{remotePort} after " "{connectTimeout} milliseconds, giving up.", - "remote_getAddr"_attr = _remote.getAddr(), - "remote_getPort"_attr = _remote.getPort(), + "remoteAddr"_attr = _remote.getAddr(), + "remotePort"_attr = _remote.getPort(), "connectTimeout"_attr = connectTimeoutMillis); return false; } @@ -580,9 +580,9 @@ void Socket::handleSendError(int ret, const char* context) { } else if (mongo_errno != EINTR) { LOGV2_DEBUG(23182, logSeverityV1toV2(_logLevel).toInt(), - "Socket {context} send() {errnoWithDescription_mongo_errno} {remoteString}", + "Socket {context} send() {mongoError} {remoteString}", "context"_attr = context, - "errnoWithDescription_mongo_errno"_attr = errnoWithDescription(mongo_errno), + "mongoError"_attr = errnoWithDescription(mongo_errno), "remoteString"_attr = remoteString()); throwSocketError(SocketErrorKind::SEND_ERROR, remoteString()); } @@ -625,8 +625,8 @@ void Socket::handleRecvError(int ret, int len) { LOGV2_DEBUG(23185, logSeverityV1toV2(_logLevel).toInt(), - "Socket recv() {errnoWithDescription_e} {remoteString}", - "errnoWithDescription_e"_attr = errnoWithDescription(e), + "Socket recv() {error} {remoteString}", + "error"_attr = errnoWithDescription(e), "remoteString"_attr = remoteString()); throwSocketError(SocketErrorKind::RECV_ERROR, remoteString()); } diff --git a/src/mongo/util/net/sockaddr.cpp b/src/mongo/util/net/sockaddr.cpp index 61ae7065bc4..962f71aed14 100644 --- a/src/mongo/util/net/sockaddr.cpp +++ b/src/mongo/util/net/sockaddr.cpp @@ -159,6 +159,7 @@ SockAddr::SockAddr(StringData target, int port, sa_family_t familyHint) // CRT construction and log() may not work yet. LOGV2(23175, "getaddrinfo(\"{host}\") failed: {reason}", + "getaddrinfo failed", "host"_attr = _hostOrIp, "reason"_attr = getAddrInfoStrError(addrErr.err)); _isValid = false; @@ -191,6 +192,7 @@ std::vector<SockAddr> SockAddr::createAll(StringData target, int port, sa_family if (addrErr.err) { LOGV2(23176, "getaddrinfo(\"{host}\") failed: {reason}", + "getaddrinfo failed", "host"_attr = hostOrIp, "reason"_attr = getAddrInfoStrError(addrErr.err)); return {}; diff --git a/src/mongo/util/net/socket_utils.cpp b/src/mongo/util/net/socket_utils.cpp index d286e81eea3..11fec0298ac 100644 --- a/src/mongo/util/net/socket_utils.cpp +++ b/src/mongo/util/net/socket_utils.cpp @@ -72,6 +72,7 @@ const struct WinsockInit { if (WSAStartup(MAKEWORD(2, 2), &d) != 0) { LOGV2(23201, "ERROR: wsastartup failed {errnoWithDescription}", + "ERROR: wsastartup failed", "errnoWithDescription"_attr = errnoWithDescription()); quickExit(EXIT_NTSERVICE_ERROR); } @@ -118,8 +119,9 @@ void setSocketKeepAliveParams(int sock, return val ? (val.get() / 1000) : default_value; } LOGV2_ERROR(23203, - "can't get KeepAlive parameter: {withval_getStatus}", - "withval_getStatus"_attr = withval.getStatus()); + "can't get KeepAlive parameter: {status}", + "can't get KeepAlive parameter", + "status"_attr = withval.getStatus()); return default_value; }; @@ -142,8 +144,9 @@ void setSocketKeepAliveParams(int sock, nullptr, nullptr)) { LOGV2_ERROR(23204, - "failed setting keepalive values: {WSAGetLastError}", - "WSAGetLastError"_attr = WSAGetLastError()); + "failed setting keepalive values: {error}", + "failed setting keepalive values", + "error"_attr = WSAGetLastError()); } } #elif defined(__APPLE__) || defined(__linux__) @@ -211,6 +214,7 @@ std::string getHostName() { if (ec || *buf == 0) { LOGV2(23202, "can't get this server's hostname {errnoWithDescription}", + "can't get this server's hostname", "errnoWithDescription"_attr = errnoWithDescription()); return ""; } diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 33ec7f7ad92..56ff7878ea6 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -555,18 +555,18 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(SSLManagerLogger, ("SSLManager", "GlobalLog if (!config.clientSubjectName.empty()) { LOGV2_DEBUG(23214, 1, - "Client Certificate Name: {config_clientSubjectName}", - "config_clientSubjectName"_attr = config.clientSubjectName); + "Client Certificate Name: {clientSubjectName}", + "clientSubjectName"_attr = config.clientSubjectName); } if (!config.serverSubjectName().empty()) { LOGV2_DEBUG(23215, 1, - "Server Certificate Name: {config_serverSubjectName}", - "config_serverSubjectName"_attr = config.serverSubjectName()); + "Server Certificate Name: {serverSubjectName}", + "serverSubjectName"_attr = config.serverSubjectName()); LOGV2_DEBUG(23216, 1, - "Server Certificate Expiration: {config_serverCertificateExpirationDate}", - "config_serverCertificateExpirationDate"_attr = + "Server Certificate Expiration: {serverCertificateExpirationDate}", + "serverCertificateExpirationDate"_attr = config.serverCertificateExpirationDate); } } @@ -608,6 +608,7 @@ Status SSLX509Name::normalizeStrings() { 1, "Certificate subject name contains unknown string type: " "{entry_type} (string value is \"{entry_value}\")", + "Certificate subject name contains unknown string type", "entry_type"_attr = entry.type, "entry_value"_attr = entry.value); break; @@ -692,15 +693,18 @@ bool SSLConfiguration::isClusterMember(StringData subjectName) const { auto swClient = parseDN(subjectName); if (!swClient.isOK()) { LOGV2_WARNING(23219, - "Unable to parse client subject name: {swClient_getStatus}", - "swClient_getStatus"_attr = swClient.getStatus()); + "Unable to parse client subject name: {status}", + "Unable to parse client subject name", + "status"_attr = swClient.getStatus()); return false; } auto& client = swClient.getValue(); auto status = client.normalizeStrings(); if (!status.isOK()) { - LOGV2_WARNING( - 23220, "Unable to normalize client subject name: {status}", "status"_attr = status); + LOGV2_WARNING(23220, + "Unable to normalize client subject name: {status}", + "Unable to normalize client subject name", + "status"_attr = status); return false; } diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index 98bc61ea700..c1fc9fd42d7 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1473,12 +1473,18 @@ Future<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate( const auto badCert = [&](StringData msg, bool warn = false) -> Future<SSLPeerInfo> { constexpr StringData prefix = "SSL peer certificate validation failed: "_sd; if (warn) { - LOGV2_WARNING(23209, "{prefix}{msg}", "prefix"_attr = prefix, "msg"_attr = msg); + LOGV2_WARNING(23209, + "{prefix}{msg}", + "SSL peer certificate validation failed", + "prefix"_attr = prefix, + "msg"_attr = msg); return Future<SSLPeerInfo>::makeReady(SSLPeerInfo(sniName)); } else { - std::string m = str::stream() << prefix << msg << "; connection rejected"; - LOGV2_ERROR(23212, "{m}", "m"_attr = m); - return Status(ErrorCodes::SSLHandshakeFailed, m); + LOGV2_ERROR(23212, + "SSL peer certificate validation failed {status}; connection rejected", + "SSL peer certificate validation failed; connection rejected", + "status"_attr = msg); + return Status(ErrorCodes::SSLHandshakeFailed, msg); } }; diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 20882f94439..ebc43113fc0 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1365,8 +1365,9 @@ int SSLManagerOpenSSL::password_cb(char* buf, int num, int rwflag, void* userdat auto swPassword = pwFetcher->fetchPassword(); if (!swPassword.isOK()) { LOGV2_ERROR(23239, - "Unable to fetch password: {swPassword_getStatus}", - "swPassword_getStatus"_attr = swPassword.getStatus()); + "Unable to fetch password: {status}", + "Unable to fetch password", + "status"_attr = swPassword.getStatus()); return -1; } StringData password = std::move(swPassword.getValue()); @@ -1539,8 +1540,8 @@ int ocspClientCallback(SSL* ssl, void* arg) { if (swStapleOK.getStatus() == ErrorCodes::OCSPCertificateStatusRevoked) { LOGV2_DEBUG(23225, 1, - "Stapled Certificate validation failed: {swStapleOK_getStatus_reason}", - "swStapleOK_getStatus_reason"_attr = swStapleOK.getStatus().reason()); + "Stapled Certificate validation failed: {reason}", + "reason"_attr = swStapleOK.getStatus().reason()); return OCSP_CLIENT_RESPONSE_NOT_ACCEPTABLE; } @@ -1932,10 +1933,10 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context, UniqueDHParams dhparams = makeDefaultDHParameters(); if (!dhparams || SSL_CTX_set_tmp_dh(context, dhparams.get()) != 1) { - LOGV2_ERROR( - 23240, - "Failed to set default DH parameters: {getSSLErrorMessage_ERR_get_error}", - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + LOGV2_ERROR(23240, + "Failed to set default DH parameters: {error}", + "Failed to set default DH parameters", + "error"_attr = getSSLErrorMessage(ERR_get_error())); } } } @@ -1964,18 +1965,19 @@ bool SSLManagerOpenSSL::_parseAndValidateCertificate(const std::string& keyFile, BIO* inBIO = BIO_new(BIO_s_file()); if (inBIO == nullptr) { LOGV2_ERROR(23243, - "failed to allocate BIO object: {getSSLErrorMessage_ERR_get_error}", - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "failed to allocate BIO object: {openSSLError}", + "failed to allocate BIO object", + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } ON_BLOCK_EXIT([&] { BIO_free(inBIO); }); if (BIO_read_filename(inBIO, keyFile.c_str()) <= 0) { LOGV2_ERROR(23244, - "cannot read key file when setting subject name: {keyFile} " - "{getSSLErrorMessage_ERR_get_error}", + "cannot read key file when setting subject name: {keyFile} {openSSLError}", + "cannot read key file when setting subject name", "keyFile"_attr = keyFile, - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } @@ -1983,10 +1985,10 @@ bool SSLManagerOpenSSL::_parseAndValidateCertificate(const std::string& keyFile, inBIO, nullptr, &SSLManagerOpenSSL::password_cb, static_cast<void*>(&keyPassword)); if (x509 == nullptr) { LOGV2_ERROR(23245, - "cannot retrieve certificate from keyfile: {keyFile} " - "{getSSLErrorMessage_ERR_get_error}", + "cannot retrieve certificate from keyfile: {keyFile} {openSSLError}", + "cannot retrieve certificate from keyfile", "keyFile"_attr = keyFile, - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } ON_BLOCK_EXIT([&] { X509_free(x509); }); @@ -2021,26 +2023,29 @@ bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context, PasswordFetcher* password) { if (SSL_CTX_use_certificate_chain_file(context, keyFile.c_str()) != 1) { LOGV2_ERROR(23248, - "cannot read certificate file: {keyFile} {getSSLErrorMessage_ERR_get_error}", + "cannot read certificate file: {keyFile} {openSSLError}", + "cannot read certificate file", "keyFile"_attr = keyFile, - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } BIO* inBio = BIO_new(BIO_s_file()); if (!inBio) { LOGV2_ERROR(23249, - "failed to allocate BIO object: {getSSLErrorMessage_ERR_get_error}", - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "failed to allocate BIO object: {openSSLError}", + "failed to allocate BIO object", + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } const auto bioGuard = makeGuard([&inBio]() { BIO_free(inBio); }); if (BIO_read_filename(inBio, keyFile.c_str()) <= 0) { LOGV2_ERROR(23250, - "cannot read PEM key file: {keyFile} {getSSLErrorMessage_ERR_get_error}", + "cannot read PEM key file: {keyFile} {openSSLError}", + "cannot read PEM key file", "keyFile"_attr = keyFile, - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } @@ -2050,26 +2055,29 @@ bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context, EVP_PKEY* privateKey = PEM_read_bio_PrivateKey(inBio, nullptr, password_cb, userdata); if (!privateKey) { LOGV2_ERROR(23251, - "cannot read PEM key file: {keyFile} {getSSLErrorMessage_ERR_get_error}", + "cannot read PEM key file: {keyFile} {openSSLError}", + "cannot read PEM key file", "keyFile"_attr = keyFile, - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } const auto privateKeyGuard = makeGuard([&privateKey]() { EVP_PKEY_free(privateKey); }); if (SSL_CTX_use_PrivateKey(context, privateKey) != 1) { LOGV2_ERROR(23252, - "cannot use PEM key file: {keyFile} {getSSLErrorMessage_ERR_get_error}", + "cannot use PEM key file: {keyFile} {openSSLError}", + "cannot use PEM key file", "keyFile"_attr = keyFile, - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } // Verify that the certificate and the key go together. if (SSL_CTX_check_private_key(context) != 1) { LOGV2_ERROR(23253, - "SSL certificate validation: {getSSLErrorMessage_ERR_get_error}", - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "SSL certificate validation failed: {openSSLError}", + "SSL certificate validation failed", + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } @@ -2136,15 +2144,21 @@ bool SSLManagerOpenSSL::_setupCRL(SSL_CTX* context, const std::string& crlFile) int status = X509_load_crl_file(lookup, crlFile.c_str(), X509_FILETYPE_PEM); if (status == 0) { LOGV2_ERROR(23254, - "cannot read CRL file: {crlFile} {getSSLErrorMessage_ERR_get_error}", + "cannot read CRL file: {crlFile} {openSSLError}", + "cannot read CRL file", "crlFile"_attr = crlFile, - "getSSLErrorMessage_ERR_get_error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } - LOGV2(23227, - "ssl imported {status} revoked certificate{status_1_s} from the revocation list.", - "status"_attr = status, - "status_1_s"_attr = ((status == 1) ? "" : "s")); + + if (status == 1) { + LOGV2(4652601, "ssl imported 1 revoked certificate from the revocation list."); + } else { + LOGV2(4652602, + "ssl imported {numberCerts} revoked certificates from the revocation list", + "numberCerts"_attr = status); + } + return true; } @@ -2367,9 +2381,9 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( } return SSLPeerInfo(sni); } else { - auto msg = "no SSL certificate provided by peer; connection rejected"; - LOGV2_ERROR(23255, "{msg}", "msg"_attr = msg); - return Status(ErrorCodes::SSLHandshakeFailed, msg); + LOGV2_ERROR(23255, "no SSL certificate provided by peer; connection rejected"); + return Status(ErrorCodes::SSLHandshakeFailed, + "no SSL certificate provided by peer; connection rejected"); } } ON_BLOCK_EXIT([&] { X509_free(peerCert); }); @@ -2378,17 +2392,19 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( if (result != X509_V_OK) { if (_allowInvalidCertificates) { - LOGV2_WARNING( - 23235, - "SSL peer certificate validation failed: {X509_verify_cert_error_string_result}", - "X509_verify_cert_error_string_result"_attr = - X509_verify_cert_error_string(result)); + LOGV2_WARNING(23235, + "SSL peer certificate validation failed: {reason}", + "SSL peer certificate validation failed", + "reason"_attr = X509_verify_cert_error_string(result)); return SSLPeerInfo(sni); } else { str::stream msg; msg << "SSL peer certificate validation failed: " << X509_verify_cert_error_string(result); - LOGV2_ERROR(23256, "{msg_ss_str}", "msg_ss_str"_attr = msg.ss.str()); + LOGV2_ERROR(23256, + "{error}", + "SSL peer certificate validation failed", + "error"_attr = msg.ss.str()); return Status(ErrorCodes::SSLHandshakeFailed, msg); } } @@ -2407,6 +2423,7 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( LOGV2_DEBUG(23229, 2, "Accepted TLS connection from peer: {peerSubject}", + "Accepted TLS connection from peer", "peerSubject"_attr = peerSubject); StatusWith<stdx::unordered_set<RoleName>> swPeerCertificateRoles = _parsePeerRoles(peerCert); @@ -2653,21 +2670,17 @@ void SSLManagerOpenSSL::_handleSSLError(SSLConnectionOpenSSL* conn, int ret) { // If ERR_get_error returned 0, the error queue is empty // check the return value of the actual SSL operation if (err != 0) { - LOGV2_ERROR(23260, - "SSL: {getSSLErrorMessage_err}", - "getSSLErrorMessage_err"_attr = getSSLErrorMessage(err)); + LOGV2_ERROR(23260, "SSL: {error}", "error"_attr = getSSLErrorMessage(err)); } else if (ret == 0) { LOGV2_ERROR(23261, "Unexpected EOF encountered during SSL communication"); } else { LOGV2_ERROR(23262, - "The SSL BIO reported an I/O error {errnoWithDescription}", - "errnoWithDescription"_attr = errnoWithDescription()); + "The SSL BIO reported an I/O error {error}", + "error"_attr = errnoWithDescription()); } break; case SSL_ERROR_SSL: { - LOGV2_ERROR(23263, - "SSL: {getSSLErrorMessage_err}", - "getSSLErrorMessage_err"_attr = getSSLErrorMessage(err)); + LOGV2_ERROR(23263, "SSL: {error}", "error"_attr = getSSLErrorMessage(err)); break; } diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 32259b8a27f..a907c1da7bf 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -521,8 +521,9 @@ int SSLManagerWindows::SSL_read(SSLConnectionInterface* connInterface, void* buf } default: LOGV2_FATAL(23282, - "Unexpected ASIO state: {static_cast_int_want}", - "static_cast_int_want"_attr = static_cast<int>(want)); + "Unexpected ASIO state: {state}", + "Unexpected ASIO state", + "state"_attr = static_cast<int>(want)); MONGO_UNREACHABLE; } } @@ -567,8 +568,9 @@ int SSLManagerWindows::SSL_write(SSLConnectionInterface* connInterface, const vo } default: LOGV2_FATAL(23283, - "Unexpected ASIO state: {static_cast_int_want}", - "static_cast_int_want"_attr = static_cast<int>(want)); + "Unexpected ASIO state: {wantStateInt}", + "Unexpected ASIO state", + "wantStateInt"_attr = static_cast<int>(want)); MONGO_UNREACHABLE; } } @@ -1824,18 +1826,14 @@ Status validatePeerCertificate(const std::string& remoteHost, if (allowInvalidCertificates) { LOGV2_WARNING(23274, - "SSL peer certificate validation failed " - "({integerToHex_certChainPolicyStatus_dwError}): " - "{errnoWithDescription_certChainPolicyStatus_dwError}", - "integerToHex_certChainPolicyStatus_dwError"_attr = - integerToHex(certChainPolicyStatus.dwError), - "errnoWithDescription_certChainPolicyStatus_dwError"_attr = - errnoWithDescription(certChainPolicyStatus.dwError)); - LOGV2_WARNING(23275, "{msg_ss_str}", "msg_ss_str"_attr = msg.ss.str()); + "SSL peer certificate validation failed ({errorCode}): {error}", + "errorCode"_attr = integerToHex(certChainPolicyStatus.dwError), + "error"_attr = errnoWithDescription(certChainPolicyStatus.dwError)); + LOGV2_WARNING(23275, "{msg}", "msg"_attr = msg.ss.str()); *peerSubjectName = SSLX509Name(); return Status::OK(); } else if (allowInvalidHostnames) { - LOGV2_WARNING(23276, "{msg_ss_str}", "msg_ss_str"_attr = msg.ss.str()); + LOGV2_WARNING(23276, "{msg}", "msg"_attr = msg.ss.str()); return Status::OK(); } else { return Status(ErrorCodes::SSLHandshakeFailed, msg); @@ -1845,7 +1843,7 @@ Status validatePeerCertificate(const std::string& remoteHost, msg << "SSL peer certificate validation failed: (" << integerToHex(certChainPolicyStatus.dwError) << ")" << errnoWithDescription(certChainPolicyStatus.dwError); - LOGV2_ERROR(23279, "{msg_ss_str}", "msg_ss_str"_attr = msg.ss.str()); + LOGV2_ERROR(23279, "{msg}", "msg"_attr = msg.ss.str()); return Status(ErrorCodes::SSLHandshakeFailed, msg); } } @@ -1913,9 +1911,9 @@ Future<SSLPeerInfo> SSLManagerWindows::parseAndValidatePeerCertificate( } return SSLPeerInfo(sni); } else { - auto msg = "no SSL certificate provided by peer; connection rejected"; - LOGV2_ERROR(23280, "{msg}", "msg"_attr = msg); - return Status(ErrorCodes::SSLHandshakeFailed, msg); + LOGV2_ERROR(23280, "no SSL certificate provided by peer; connection rejected"); + return Status(ErrorCodes::SSLHandshakeFailed, + "no SSL certificate provided by peer; connection rejected"); } } @@ -1959,6 +1957,7 @@ Future<SSLPeerInfo> SSLManagerWindows::parseAndValidatePeerCertificate( LOGV2_DEBUG(23270, 2, "Accepted TLS connection from peer: {peerSubjectName}", + "Accepted TLS connection from peer", "peerSubjectName"_attr = peerSubjectName); // If this is a server and client and server certificate are the same, log a warning. |