[defect]: misleading error message referring to psk_password

[ghalse]

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

In FreeRADIUS Version 3.2.6, setting both psk_hashphrase and psk_query in the same tls block results in the error:

Invalid PSK Configuration: psk_password and psk_query cannot be used at the same time.

which is misleading. It points the user to look at config option that is not set/does not exist, and also suggests psk_password is a valid configuration option as an alternative to psk_hexphrase (which it does not appear to be).

Log output from the FreeRADIUS daemon

Thread 1 waiting to be assigned a request
listen {
        type = "auth+acct"
        virtual_server = "eduroam"
        ipaddr = *
        port = 2083
        proto = "tcp"
        nonblock = yes
  tls {
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/freeradius/certs/server.pem"
        certificate_file = "/etc/freeradius/certs/server.pem"
        ca_file = "/etc/freeradius/certs/ca.pem"
        private_key_password = <<< secret >>>
        psk_identity = "[email protected]"
        psk_hexphrase = <<< secret >>>
        psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
        fragment_size = 8192
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        ca_path_reload_interval = 0
        cipher_list = "DEFAULT"
        require_client_cert = no
        reject_unknown_intermediate_ca = no
        ecdh_curve = "prime256v1"
        tls_max_version = "1.3"
        tls_min_version = "1.3"
   cache {
        enable = no
        lifetime = 24
        max_entries = 255
   }
   verify {
        skip_if_ocsp_ok = no
   }
   ocsp {
        enable = no
        override_cert_url = no
        use_nonce = yes
        timeout = 0
        softfail = no
   }
  }
tls: Ignoring private key file due to psk_identity being used
tls: Ignoring certificate file due to psk_identity being used
tls: Invalid PSK Configuration: psk_identity and psk_query cannot be used at the same time.

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

[ghalse]

Looking at the code, I don't think this is the only place where the psk_hexphrase / psk_password confusion happens. Here an error refers to psk_hexphrase, whereas here and here it refers psk_password for comparisons with the same underlying variable. (That's not an exhaustive look.)

[alandekok]

Fixed in dfda41d and in ceff4dc