diff --git a/src/acct/pam.c b/src/acct/pam.c index c25f11bd..498fe767 100644 --- a/src/acct/pam.c +++ b/src/acct/pam.c @@ -50,7 +50,7 @@ pam_handle_t *ph; struct pam_conv dc; if (ai->username[0] == 0) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "PAM-acct: no username present"); return ERR_AUTH_FAIL; } @@ -59,7 +59,7 @@ struct pam_conv dc; dc.appdata_ptr = NULL; pret = pam_start(PACKAGE, ai->username, &dc, &ph); if (pret != PAM_SUCCESS) { - syslog(LOG_AUTH, "PAM-acct init: %s", pam_strerror(ph, pret)); + syslog(LOG_NOTICE, "PAM-acct init: %s", pam_strerror(ph, pret)); goto fail1; } diff --git a/src/acct/radius.c b/src/acct/radius.c index 9ddb2828..86a63194 100644 --- a/src/acct/radius.c +++ b/src/acct/radius.c @@ -191,7 +191,7 @@ static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const c rc_avpair_free(recvd); if (ret != OK_RC) { - syslog(LOG_AUTH, "radius-auth: radius_open_session: %d", ret); + syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret); goto cleanup; } @@ -233,7 +233,7 @@ static int radius_acct_open_session(void *_vctx, unsigned auth_method, const com rc_avpair_free(recvd); if (ret != OK_RC) { - syslog(LOG_AUTH, "radius-auth: radius_open_session: %d", ret); + syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret); ret = -1; goto cleanup; } diff --git a/src/auth-unix.c b/src/auth-unix.c index 60db4ee6..e1831966 100644 --- a/src/auth-unix.c +++ b/src/auth-unix.c @@ -64,7 +64,7 @@ unsigned found; } if (found == 0) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "user '%s' requested group '%s' but is not a member", username, suggested); return -1; diff --git a/src/auth/openidconnect.c b/src/auth/openidconnect.c index ba474272..4dc8bf29 100644 --- a/src/auth/openidconnect.c +++ b/src/auth/openidconnect.c @@ -254,7 +254,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri) curl = curl_easy_init(); if (!curl) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: failed to download JSON document: URI %s\n", uri); goto cleanup; @@ -262,7 +262,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri) res = curl_easy_setopt(curl, CURLOPT_URL, uri); if (res != CURLE_OK) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n", uri, res); goto cleanup; @@ -272,7 +272,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri) curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, oidc_json_parser_context_callback); if (res != CURLE_OK) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n", uri, res); goto cleanup; @@ -280,7 +280,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri) res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, &context); if (res != CURLE_OK) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n", uri, res); goto cleanup; @@ -288,7 +288,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri) res = curl_easy_perform(curl); if (res != CURLE_OK) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n", uri, res); goto cleanup; @@ -296,7 +296,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri) json = json_loadb(context.buffer, context.offset, 0, &err); if (!json) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: failed to parse JSON document: URI %s\n", uri); goto cleanup; @@ -327,7 +327,7 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx) json_t *value; if (!openid_configuration_url) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: openid_configuration_url missing from config\n"); goto cleanup; } @@ -338,21 +338,21 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx) (openid_configuration_url)); if (!oidc_config) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Unable to fetch config doc from %s\n", json_string_value(openid_configuration_url)); goto cleanup; } json_t *jwks_uri = json_object_get(oidc_config, "jwks_uri"); if (!jwks_uri || !json_string_value(jwks_uri)) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: jwks_uri missing from config doc\n"); goto cleanup; } jwks = oidc_fetch_json_from_uri(vctx->pool, json_string_value(jwks_uri)); if (!jwks) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: failed to fetch keys from jwks_uri %s\n", json_string_value(jwks_uri)); goto cleanup; @@ -360,7 +360,7 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx) array = json_object_get(jwks, "keys"); if (array == NULL) { - syslog(LOG_AUTH, "ocserv-oidc: JWK keys malformed\n"); + syslog(LOG_NOTICE, "ocserv-oidc: JWK keys malformed\n"); goto cleanup; } @@ -405,24 +405,24 @@ static bool oidc_verify_lifetime(json_t * token_claims) time_t current_time = time(NULL); if (!token_nbf || !json_integer_value(token_nbf)) { - syslog(LOG_AUTH, "ocserv-oidc: Token missing 'nbf' claim\n"); + syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'nbf' claim\n"); goto cleanup; } if (!token_exp || !json_integer_value(token_exp)) { - syslog(LOG_AUTH, "ocserv-oidc: Token missing 'exp' claim\n"); + syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'exp' claim\n"); goto cleanup; } if (!token_iat || !json_integer_value(token_iat)) { - syslog(LOG_AUTH, "ocserv-oidc: Token missing 'iat' claim\n"); + syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'iat' claim\n"); goto cleanup; } // Check to ensure the token is within it's validity if (json_integer_value(token_nbf) > current_time || json_integer_value(token_exp) < current_time) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Token not within validity period NBF: %lld EXP: %lld Current: %ld\n", json_integer_value(token_nbf), json_integer_value(token_exp), current_time); @@ -450,7 +450,7 @@ static bool oidc_verify_required_claims(json_t * required_claims, token_claim_value = json_object_get(token_claims, required_claim_name); if (!json_equal(required_claim_value, token_claim_value)) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Required claim not met. Claim: %s Expected Value: %s\n", required_claim_name, json_string_value(required_claim_value)); @@ -474,7 +474,7 @@ static bool oidc_map_user_name(json_t * user_name_claim, json_t *token_user_name_claim = json_object_get(token_claims, json_string_value(user_name_claim)); if (!token_user_name_claim || !json_string_value(token_user_name_claim)) { - syslog(LOG_AUTH, "ocserv-oidc: Token missing '%s' claim\n", + syslog(LOG_NOTICE, "ocserv-oidc: Token missing '%s' claim\n", json_string_value(user_name_claim)); goto cleanup; } @@ -497,7 +497,7 @@ static json_t *oidc_extract_claims(cjose_jws_t * jws) // Extract the claim portion from the token if (!cjose_jws_get_plaintext(jws, &plain_text, &plain_text_size, &err)) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Failed to get plain text from token\n"); goto cleanup; } @@ -506,7 +506,7 @@ static json_t *oidc_extract_claims(cjose_jws_t * jws) token_claims = json_loadb((char *)plain_text, plain_text_size, 0, &json_err); if (!token_claims) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Failed to get claims from token\n"); goto cleanup; } @@ -529,20 +529,20 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws) json_t *value; if (vctx->jwks == NULL) { - syslog(LOG_AUTH, "ocserv-oidc: JWK keys not available\n"); + syslog(LOG_NOTICE, "ocserv-oidc: JWK keys not available\n"); goto cleanup; } array = json_object_get(vctx->jwks, "keys"); if (array == NULL) { - syslog(LOG_AUTH, "ocserv-oidc: JWK keys malformed\n"); + syslog(LOG_NOTICE, "ocserv-oidc: JWK keys malformed\n"); goto cleanup; } // Get the token header token_header = cjose_jws_get_protected(jws); if (token_header == NULL) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - no header\n"); goto cleanup; } @@ -550,13 +550,13 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws) // Get the kid of the key used to sign this token token_kid = json_object_get(token_header, "kid"); if (token_kid == NULL || !json_string_value(token_kid)) { - syslog(LOG_AUTH, "ocserv-oidc: Token malformed - no kid\n"); + syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - no kid\n"); goto cleanup; } token_typ = json_object_get(token_header, "typ"); if (token_typ == NULL || !json_string_value(token_typ) || strcmp(json_string_value(token_typ), "JWT")) { - syslog(LOG_AUTH, "ocserv-oidc: Token malformed - wrong typ claim\n"); + syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - wrong typ claim\n"); goto cleanup; } @@ -571,16 +571,16 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws) if (jwk == NULL) { time_t now; - syslog(LOG_AUTH, "ocserv-oidc: JWK with kid=%s not found\n", + syslog(LOG_NOTICE, "ocserv-oidc: JWK with kid=%s not found\n", json_string_value(token_kid)); - syslog(LOG_AUTH, "ocserv-oidc: attempting to download new JWKs"); + syslog(LOG_NOTICE, "ocserv-oidc: attempting to download new JWKs"); now = time(0); if ((now - vctx->last_jwks_load_time) > vctx->minimum_jwk_refresh_time) { oidc_fetch_oidc_keys(vctx); } else { - syslog(LOG_AUTH, "ocserv-oidc: skipping JWK refresh"); + syslog(LOG_NOTICE, "ocserv-oidc: skipping JWK refresh"); } // Fail the request and let the client try again. @@ -588,7 +588,7 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws) } if (!cjose_jws_verify(jws, jwk, &err)) { - syslog(LOG_AUTH, "ocserv-oidc: Token failed validation %s\n", + syslog(LOG_NOTICE, "ocserv-oidc: Token failed validation %s\n", err.message); goto cleanup; } @@ -611,33 +611,33 @@ static bool oidc_verify_token(oidc_vctx_st * vctx, const char *token, jws = cjose_jws_import(token, token_length, &err); if (jws == NULL) { - syslog(LOG_AUTH, "ocserv-oidc: Token malformed - %s\n", + syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - %s\n", err.message); goto cleanup; } if (!oidc_verify_singature(vctx, jws)) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Token signature validation failed\n"); goto cleanup; } token_claims = oidc_extract_claims(jws); if (!token_claims) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Unable to access token claims\n"); goto cleanup; } if (!oidc_verify_lifetime(token_claims)) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Token lifetime validation failed\n"); goto cleanup; } if (!oidc_verify_required_claims (json_object_get(vctx->config, "required_claims"), token_claims)) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Token required claims validation failed\n"); goto cleanup; } @@ -645,7 +645,7 @@ static bool oidc_verify_token(oidc_vctx_st * vctx, const char *token, if (!oidc_map_user_name (json_object_get(vctx->config, "user_name_claim"), token_claims, user_name)) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "ocserv-oidc: Unable to map user name claim\n"); goto cleanup; } diff --git a/src/auth/pam.c b/src/auth/pam.c index 666b6b25..ea2cf688 100644 --- a/src/auth/pam.c +++ b/src/auth/pam.c @@ -160,7 +160,7 @@ int pret; struct pam_ctx_st * pctx; if (info->username == NULL || info->username[0] == 0) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "pam-auth: no username present"); return ERR_AUTH_FAIL; } @@ -175,7 +175,7 @@ struct pam_ctx_st * pctx; pctx->dc.appdata_ptr = pctx; pret = pam_start(PACKAGE, info->username, &pctx->dc, &pctx->ph); if (pret != PAM_SUCCESS) { - syslog(LOG_AUTH, "PAM-auth init: %s", pam_strerror(pctx->ph, pret)); + syslog(LOG_NOTICE, "PAM-auth init: %s", pam_strerror(pctx->ph, pret)); goto fail1; } @@ -214,7 +214,7 @@ size_t prompt_hash = 0; co_call(pctx->cr); if (pctx->cr_ret != PAM_SUCCESS) { - syslog(LOG_AUTH, "PAM-auth pam_auth_msg: %s", pam_strerror(pctx->ph, pctx->cr_ret)); + syslog(LOG_NOTICE, "PAM-auth pam_auth_msg: %s", pam_strerror(pctx->ph, pctx->cr_ret)); return ERR_AUTH_FAIL; } } @@ -254,7 +254,7 @@ struct pam_ctx_st * pctx = ctx; return -1; if (pctx->state != PAM_S_WAIT_FOR_PASS) { - syslog(LOG_AUTH, "PAM auth: conversation left in wrong state (%d/expecting %d)", pctx->state, PAM_S_WAIT_FOR_PASS); + syslog(LOG_NOTICE, "PAM auth: conversation left in wrong state (%d/expecting %d)", pctx->state, PAM_S_WAIT_FOR_PASS); return ERR_AUTH_FAIL; } @@ -265,7 +265,7 @@ struct pam_ctx_st * pctx = ctx; co_call(pctx->cr); if (pctx->cr_ret != PAM_SUCCESS) { - syslog(LOG_AUTH, "PAM-auth pam_auth_pass: %s", pam_strerror(pctx->ph, pctx->cr_ret)); + syslog(LOG_NOTICE, "PAM-auth pam_auth_pass: %s", pam_strerror(pctx->ph, pctx->cr_ret)); return ERR_AUTH_FAIL; } @@ -294,7 +294,7 @@ int pret; pret = pam_get_item(pctx->ph, PAM_USER, (const void **)&user); if (pret != PAM_SUCCESS) { - /*syslog(LOG_AUTH, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/ + /*syslog(LOG_NOTICE, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/ return -1; } diff --git a/src/auth/plain.c b/src/auth/plain.c index b90ca188..42845b97 100644 --- a/src/auth/plain.c +++ b/src/auth/plain.c @@ -158,7 +158,7 @@ static int read_auth_pass(struct plain_ctx_st *pctx) fp = fopen(pctx->config->passwd, "r"); if (fp == NULL) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "error in plain authentication; cannot open: %s", pctx->config->passwd); return -1; @@ -232,7 +232,7 @@ static int plain_auth_init(void **ctx, void *pool, void *vctx, const common_auth int ret; if (info->username == NULL || info->username[0] == 0) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "plain-auth: no username present"); return ERR_AUTH_FAIL; } @@ -283,7 +283,7 @@ static int plain_auth_group(void *ctx, const char *suggested, char *groupname, i } if (found == 0) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "user '%s' requested group '%s' but is not a member", pctx->username, suggested); return -1; @@ -322,7 +322,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len) pctx->pass_msg = pass_msg_failed; return ERR_AUTH_CONTINUE; } else { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "plain-auth: error authenticating user '%s'", pctx->username); return ERR_AUTH_FAIL; @@ -330,7 +330,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len) } if (pctx->cpass[0] == 0 && pctx->config->otp_file == NULL) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "plain-auth: user '%s' has empty password and no OTP file configured", pctx->username); return ERR_AUTH_FAIL; @@ -351,7 +351,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len) ret = oath_authenticate_usersfile(pctx->config->otp_file, pctx->username, pass, HOTP_WINDOW, NULL, &last); if (ret != OATH_OK) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "plain-auth: OTP auth failed for '%s': %s", pctx->username, oath_strerror(ret)); return ERR_AUTH_FAIL; @@ -416,7 +416,7 @@ static void plain_group_list(void *pool, void *additional, char ***groupname, un pool = talloc_init("plain"); fp = fopen(config->passwd, "r"); if (fp == NULL) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "error in plain authentication; cannot open: %s", (char*)config->passwd); return; diff --git a/src/auth/radius.c b/src/auth/radius.c index 9c54241b..9ae3e62a 100644 --- a/src/auth/radius.c +++ b/src/auth/radius.c @@ -111,7 +111,7 @@ static int radius_auth_init(void **ctx, void *pool, void *_vctx, const common_au struct radius_vhost_ctx *vctx = _vctx; if (info->username == NULL || info->username[0] == 0) { - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "radius-auth: no username present"); return ERR_AUTH_FAIL; } @@ -162,7 +162,7 @@ static int radius_auth_group(void *ctx, const char *suggested, char *groupname, } } - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "radius-auth: user '%s' requested group '%s' but is not a member", pctx->username, suggested); return -1; @@ -471,7 +471,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len) goto cleanup; } - syslog(LOG_AUTH, + syslog(LOG_NOTICE, "radius-auth: error authenticating user '%s' (code %d)", pctx->username, ret); ret = ERR_AUTH_FAIL; diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c index 966e55b0..10b643fe 100644 --- a/src/sec-mod-auth.c +++ b/src/sec-mod-auth.c @@ -302,7 +302,7 @@ int check_group(sec_mod_st * sec, client_entry_st * e) } if (found == 0) { - seclog(sec, LOG_AUTH, "user '%s' requested group '%s' but is not included on his certificate groups", + seclog(sec, LOG_NOTICE, "user '%s' requested group '%s' but is not included on his certificate groups", e->acct_info.username, req_group); return -1; } @@ -778,7 +778,7 @@ int handle_sec_auth_init(int cfd, sec_mod_st *sec, const SecAuthInitMsg *req, pi time_t session_start_time; if (req->hmac.len != HMAC_DIGEST_SIZE || !req->hmac.data) { - seclog(sec, LOG_AUTH, "hmac is the wrong size"); + seclog(sec, LOG_NOTICE, "hmac is the wrong size"); return -1; } @@ -796,14 +796,14 @@ int handle_sec_auth_init(int cfd, sec_mod_st *sec, const SecAuthInitMsg *req, pi generate_hmac(sizeof(sec->hmac_key), sec->hmac_key, sizeof(hmac_components) / sizeof(hmac_components[0]), hmac_components, computed_hmac); if (memcmp(computed_hmac, req->hmac.data, req->hmac.len) != 0) { - seclog(sec, LOG_AUTH, "hmac presented by client doesn't match parameters provided - possible replay"); + seclog(sec, LOG_NOTICE, "hmac presented by client doesn't match parameters provided - possible replay"); return -1; } vhost = find_vhost(sec->vconfig, req->vhost); if ((now - session_start_time) > vhost->perm_config.config->auth_timeout) { - seclog(sec, LOG_AUTH, "hmac presented by client expired - possible replay"); + seclog(sec, LOG_NOTICE, "hmac presented by client expired - possible replay"); return -1; } diff --git a/src/tlslib.c b/src/tlslib.c index 5264456c..971cb397 100644 --- a/src/tlslib.c +++ b/src/tlslib.c @@ -441,7 +441,7 @@ static void tls_audit_log_func(gnutls_session_t session, const char *str) (void)(ws); if (session == NULL) - syslog(LOG_AUTH, "warning: %s", str); + syslog(LOG_NOTICE, "warning: %s", str); else { ws = gnutls_session_get_ptr(session);