Mercurial > hg > freeDiameter
comparison freeDiameter/cnxctx.c @ 214:5a1b93f59f8f
Added trace facility for GNUTLS calls
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Thu, 18 Feb 2010 15:20:00 +0900 |
parents | 929513df9024 |
children | 5f2ce627db3c |
comparison
equal
deleted
inserted
replaced
213:890a9b6379f0 | 214:5a1b93f59f8f |
---|---|
940 gnutls_credentials_type_t cred; | 940 gnutls_credentials_type_t cred; |
941 | 941 |
942 fd_log_debug("TLS Session information for connection '%s':\n", conn->cc_id); | 942 fd_log_debug("TLS Session information for connection '%s':\n", conn->cc_id); |
943 | 943 |
944 /* print the key exchange's algorithm name */ | 944 /* print the key exchange's algorithm name */ |
945 kx = gnutls_kx_get (session); | 945 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); |
946 tmp = gnutls_kx_get_name (kx); | 946 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); |
947 fd_log_debug("\t - Key Exchange: %s\n", tmp); | 947 fd_log_debug("\t - Key Exchange: %s\n", tmp); |
948 | 948 |
949 /* Check the authentication type used and switch | 949 /* Check the authentication type used and switch |
950 * to the appropriate. */ | 950 * to the appropriate. */ |
951 cred = gnutls_auth_get_type (session); | 951 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); |
952 switch (cred) | 952 switch (cred) |
953 { | 953 { |
954 case GNUTLS_CRD_IA: | 954 case GNUTLS_CRD_IA: |
955 fd_log_debug("\t - TLS/IA session\n"); | 955 fd_log_debug("\t - TLS/IA session\n"); |
956 break; | 956 break; |
1029 | 1029 |
1030 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ | 1030 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ |
1031 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) | 1031 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) |
1032 return EINVAL; | 1032 return EINVAL; |
1033 | 1033 |
1034 cert_list = gnutls_certificate_get_peers (session, &cert_list_size); | 1034 GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) ); |
1035 if (cert_list == NULL) | 1035 if (cert_list == NULL) |
1036 return EINVAL; | 1036 return EINVAL; |
1037 | 1037 |
1038 now = time(NULL); | 1038 now = time(NULL); |
1039 | 1039 |
1051 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); | 1051 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); |
1052 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); | 1052 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); |
1053 | 1053 |
1054 fd_log_debug(" Certificate %d info:\n", i); | 1054 fd_log_debug(" Certificate %d info:\n", i); |
1055 | 1055 |
1056 expiration_time = gnutls_x509_crt_get_expiration_time (cert); | 1056 GNUTLS_TRACE( expiration_time = gnutls_x509_crt_get_expiration_time (cert) ); |
1057 activation_time = gnutls_x509_crt_get_activation_time (cert); | 1057 GNUTLS_TRACE( activation_time = gnutls_x509_crt_get_activation_time (cert) ); |
1058 | 1058 |
1059 fd_log_debug("\t - Certificate is valid since: %s", ctime (&activation_time)); | 1059 fd_log_debug("\t - Certificate is valid since: %s", ctime (&activation_time)); |
1060 fd_log_debug("\t - Certificate expires: %s", ctime (&expiration_time)); | 1060 fd_log_debug("\t - Certificate expires: %s", ctime (&expiration_time)); |
1061 | 1061 |
1062 /* Print the serial number of the certificate. */ | 1062 /* Print the serial number of the certificate. */ |
1071 } | 1071 } |
1072 } | 1072 } |
1073 fd_log_debug("\n"); | 1073 fd_log_debug("\n"); |
1074 | 1074 |
1075 /* Extract some of the public key algorithm's parameters */ | 1075 /* Extract some of the public key algorithm's parameters */ |
1076 algo = gnutls_x509_crt_get_pk_algorithm (cert, &bits); | 1076 GNUTLS_TRACE( algo = gnutls_x509_crt_get_pk_algorithm (cert, &bits) ); |
1077 fd_log_debug("\t - Certificate public key: %s\n", | 1077 fd_log_debug("\t - Certificate public key: %s\n", |
1078 gnutls_pk_algorithm_get_name (algo)); | 1078 gnutls_pk_algorithm_get_name (algo)); |
1079 | 1079 |
1080 /* Print the version of the X.509 certificate. */ | 1080 /* Print the version of the X.509 certificate. */ |
1081 fd_log_debug("\t - Certificate version: #%d\n", | 1081 fd_log_debug("\t - Certificate version: #%d\n", |
1082 gnutls_x509_crt_get_version (cert)); | 1082 gnutls_x509_crt_get_version (cert)); |
1083 | 1083 |
1084 size = sizeof (dn); | 1084 size = sizeof (dn); |
1085 gnutls_x509_crt_get_dn (cert, dn, &size); | 1085 GNUTLS_TRACE( gnutls_x509_crt_get_dn (cert, dn, &size) ); |
1086 fd_log_debug("\t - DN: %s\n", dn); | 1086 fd_log_debug("\t - DN: %s\n", dn); |
1087 | 1087 |
1088 size = sizeof (dn); | 1088 size = sizeof (dn); |
1089 gnutls_x509_crt_get_issuer_dn (cert, dn, &size); | 1089 GNUTLS_TRACE( gnutls_x509_crt_get_issuer_dn (cert, dn, &size) ); |
1090 fd_log_debug("\t - Issuer's DN: %s\n", dn); | 1090 fd_log_debug("\t - Issuer's DN: %s\n", dn); |
1091 | 1091 |
1092 gnutls_x509_crt_deinit (cert); | 1092 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) ); |
1093 } | 1093 } |
1094 } | 1094 } |
1095 | 1095 |
1096 /* Check validity of all the certificates */ | 1096 /* Check validity of all the certificates */ |
1097 for (i = 0; i < cert_list_size; i++) | 1097 for (i = 0; i < cert_list_size; i++) |
1099 time_t deadline; | 1099 time_t deadline; |
1100 | 1100 |
1101 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); | 1101 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); |
1102 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); | 1102 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); |
1103 | 1103 |
1104 deadline = gnutls_x509_crt_get_expiration_time(cert); | 1104 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) ); |
1105 if ((deadline != (time_t)-1) && (deadline < now)) { | 1105 if ((deadline != (time_t)-1) && (deadline < now)) { |
1106 if (TRACE_BOOL(INFO)) { | 1106 if (TRACE_BOOL(INFO)) { |
1107 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1107 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1108 fd_log_debug(" - The certificate %d in the chain is expired\n", i); | 1108 fd_log_debug(" - The certificate %d in the chain is expired\n", i); |
1109 } | 1109 } |
1110 return EINVAL; | 1110 return EINVAL; |
1111 } | 1111 } |
1112 | 1112 |
1113 deadline = gnutls_x509_crt_get_activation_time(cert); | 1113 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) ); |
1114 if ((deadline != (time_t)-1) && (deadline > now)) { | 1114 if ((deadline != (time_t)-1) && (deadline > now)) { |
1115 if (TRACE_BOOL(INFO)) { | 1115 if (TRACE_BOOL(INFO)) { |
1116 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1116 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1117 fd_log_debug(" - The certificate %d in the chain is not yet activated\n", i); | 1117 fd_log_debug(" - The certificate %d in the chain is not yet activated\n", i); |
1118 } | 1118 } |
1127 } | 1127 } |
1128 return EINVAL; | 1128 return EINVAL; |
1129 } | 1129 } |
1130 } | 1130 } |
1131 | 1131 |
1132 gnutls_x509_crt_deinit (cert); | 1132 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) ); |
1133 } | 1133 } |
1134 | 1134 |
1135 return 0; | 1135 return 0; |
1136 } | 1136 } |
1137 | 1137 |
1162 /* Initialize the wrapper, start the demux thread */ | 1162 /* Initialize the wrapper, start the demux thread */ |
1163 CHECK_FCT( fd_sctps_init(conn) ); | 1163 CHECK_FCT( fd_sctps_init(conn) ); |
1164 #endif /* DISABLE_SCTP */ | 1164 #endif /* DISABLE_SCTP */ |
1165 } else { | 1165 } else { |
1166 /* Set the transport pointer passed to push & pull callbacks */ | 1166 /* Set the transport pointer passed to push & pull callbacks */ |
1167 gnutls_transport_set_ptr( conn->cc_tls_para.session, (gnutls_transport_ptr_t) conn ); | 1167 GNUTLS_TRACE( gnutls_transport_set_ptr( conn->cc_tls_para.session, (gnutls_transport_ptr_t) conn ) ); |
1168 | 1168 |
1169 /* Set the push and pull callbacks */ | 1169 /* Set the push and pull callbacks */ |
1170 gnutls_transport_set_pull_function(conn->cc_tls_para.session, (void *)fd_cnx_s_recv); | 1170 GNUTLS_TRACE( gnutls_transport_set_pull_function(conn->cc_tls_para.session, (void *)fd_cnx_s_recv) ); |
1171 gnutls_transport_set_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_send); | 1171 GNUTLS_TRACE( gnutls_transport_set_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_send) ); |
1172 } | 1172 } |
1173 | 1173 |
1174 /* Mark the connection as protected from here, so that the gnutls credentials will be freed */ | 1174 /* Mark the connection as protected from here, so that the gnutls credentials will be freed */ |
1175 conn->cc_status |= CC_STATUS_TLS; | 1175 conn->cc_status |= CC_STATUS_TLS; |
1176 | 1176 |
1219 CHECK_PARAMS( conn && (conn->cc_status & CC_STATUS_TLS) && cert_list && cert_list_size ); | 1219 CHECK_PARAMS( conn && (conn->cc_status & CC_STATUS_TLS) && cert_list && cert_list_size ); |
1220 | 1220 |
1221 /* This function only works for X.509 certificates. */ | 1221 /* This function only works for X.509 certificates. */ |
1222 CHECK_PARAMS( gnutls_certificate_type_get (conn->cc_tls_para.session) == GNUTLS_CRT_X509 ); | 1222 CHECK_PARAMS( gnutls_certificate_type_get (conn->cc_tls_para.session) == GNUTLS_CRT_X509 ); |
1223 | 1223 |
1224 *cert_list = gnutls_certificate_get_peers (conn->cc_tls_para.session, cert_list_size); | 1224 GNUTLS_TRACE( *cert_list = gnutls_certificate_get_peers (conn->cc_tls_para.session, cert_list_size) ); |
1225 if (*cert_list == NULL) { | 1225 if (*cert_list == NULL) { |
1226 TRACE_DEBUG(INFO, "No certificate was provided by remote peer / an error occurred."); | 1226 TRACE_DEBUG(INFO, "No certificate was provided by remote peer / an error occurred."); |
1227 return EINVAL; | 1227 return EINVAL; |
1228 } | 1228 } |
1229 | 1229 |
1404 } | 1404 } |
1405 | 1405 |
1406 /* Deinit gnutls resources */ | 1406 /* Deinit gnutls resources */ |
1407 fd_sctps_gnutls_deinit_others(conn); | 1407 fd_sctps_gnutls_deinit_others(conn); |
1408 if (conn->cc_tls_para.session) { | 1408 if (conn->cc_tls_para.session) { |
1409 gnutls_deinit(conn->cc_tls_para.session); | 1409 GNUTLS_TRACE( gnutls_deinit(conn->cc_tls_para.session) ); |
1410 conn->cc_tls_para.session = NULL; | 1410 conn->cc_tls_para.session = NULL; |
1411 } | 1411 } |
1412 | 1412 |
1413 /* Destroy the wrapper (also stops the demux thread) */ | 1413 /* Destroy the wrapper (also stops the demux thread) */ |
1414 fd_sctps_destroy(conn); | 1414 fd_sctps_destroy(conn); |
1432 CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */ ); | 1432 CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */ ); |
1433 } | 1433 } |
1434 | 1434 |
1435 /* Free the resources of the TLS session */ | 1435 /* Free the resources of the TLS session */ |
1436 if (conn->cc_tls_para.session) { | 1436 if (conn->cc_tls_para.session) { |
1437 gnutls_deinit(conn->cc_tls_para.session); | 1437 GNUTLS_TRACE( gnutls_deinit(conn->cc_tls_para.session) ); |
1438 conn->cc_tls_para.session = NULL; | 1438 conn->cc_tls_para.session = NULL; |
1439 } | 1439 } |
1440 | 1440 |
1441 #ifndef DISABLE_SCTP | 1441 #ifndef DISABLE_SCTP |
1442 } | 1442 } |