Mercurial > hg > freeDiameter

comparison freeDiameter/cnxctx.c @ 214:5a1b93f59f8f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added trace facility for GNUTLS calls
author Sebastien Decugis <sdecugis@nict.go.jp>
date Thu, 18 Feb 2010 15:20:00 +0900
parents 929513df9024
children 5f2ce627db3c
comparison
equal deleted inserted replaced
213:890a9b6379f0 214:5a1b93f59f8f
940 gnutls_credentials_type_t cred; 940 gnutls_credentials_type_t cred;
941 941
942 fd_log_debug("TLS Session information for connection '%s':\n", conn->cc_id); 942 fd_log_debug("TLS Session information for connection '%s':\n", conn->cc_id);
943 943
944 /* print the key exchange's algorithm name */ 944 /* print the key exchange's algorithm name */
945 kx = gnutls_kx_get (session); 945 GNUTLS_TRACE( kx = gnutls_kx_get (session) );
946 tmp = gnutls_kx_get_name (kx); 946 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) );
947 fd_log_debug("\t - Key Exchange: %s\n", tmp); 947 fd_log_debug("\t - Key Exchange: %s\n", tmp);
948 948
949 /* Check the authentication type used and switch 949 /* Check the authentication type used and switch
950 * to the appropriate. */ 950 * to the appropriate. */
951 cred = gnutls_auth_get_type (session); 951 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) );
952 switch (cred) 952 switch (cred)
953 { 953 {
954 case GNUTLS_CRD_IA: 954 case GNUTLS_CRD_IA:
955 fd_log_debug("\t - TLS/IA session\n"); 955 fd_log_debug("\t - TLS/IA session\n");
956 break; 956 break;
1029 1029
1030 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ 1030 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */
1031 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) 1031 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509)
1032 return EINVAL; 1032 return EINVAL;
1033 1033
1034 cert_list = gnutls_certificate_get_peers (session, &cert_list_size); 1034 GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) );
1035 if (cert_list == NULL) 1035 if (cert_list == NULL)
1036 return EINVAL; 1036 return EINVAL;
1037 1037
1038 now = time(NULL); 1038 now = time(NULL);
1039 1039
1051 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); 1051 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL);
1052 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); 1052 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL);
1053 1053
1054 fd_log_debug(" Certificate %d info:\n", i); 1054 fd_log_debug(" Certificate %d info:\n", i);
1055 1055
1056 expiration_time = gnutls_x509_crt_get_expiration_time (cert); 1056 GNUTLS_TRACE( expiration_time = gnutls_x509_crt_get_expiration_time (cert) );
1057 activation_time = gnutls_x509_crt_get_activation_time (cert); 1057 GNUTLS_TRACE( activation_time = gnutls_x509_crt_get_activation_time (cert) );
1058 1058
1059 fd_log_debug("\t - Certificate is valid since: %s", ctime (&activation_time)); 1059 fd_log_debug("\t - Certificate is valid since: %s", ctime (&activation_time));
1060 fd_log_debug("\t - Certificate expires: %s", ctime (&expiration_time)); 1060 fd_log_debug("\t - Certificate expires: %s", ctime (&expiration_time));
1061 1061
1062 /* Print the serial number of the certificate. */ 1062 /* Print the serial number of the certificate. */
1071 } 1071 }
1072 } 1072 }
1073 fd_log_debug("\n"); 1073 fd_log_debug("\n");
1074 1074
1075 /* Extract some of the public key algorithm's parameters */ 1075 /* Extract some of the public key algorithm's parameters */
1076 algo = gnutls_x509_crt_get_pk_algorithm (cert, &bits); 1076 GNUTLS_TRACE( algo = gnutls_x509_crt_get_pk_algorithm (cert, &bits) );
1077 fd_log_debug("\t - Certificate public key: %s\n", 1077 fd_log_debug("\t - Certificate public key: %s\n",
1078 gnutls_pk_algorithm_get_name (algo)); 1078 gnutls_pk_algorithm_get_name (algo));
1079 1079
1080 /* Print the version of the X.509 certificate. */ 1080 /* Print the version of the X.509 certificate. */
1081 fd_log_debug("\t - Certificate version: #%d\n", 1081 fd_log_debug("\t - Certificate version: #%d\n",
1082 gnutls_x509_crt_get_version (cert)); 1082 gnutls_x509_crt_get_version (cert));
1083 1083
1084 size = sizeof (dn); 1084 size = sizeof (dn);
1085 gnutls_x509_crt_get_dn (cert, dn, &size); 1085 GNUTLS_TRACE( gnutls_x509_crt_get_dn (cert, dn, &size) );
1086 fd_log_debug("\t - DN: %s\n", dn); 1086 fd_log_debug("\t - DN: %s\n", dn);
1087 1087
1088 size = sizeof (dn); 1088 size = sizeof (dn);
1089 gnutls_x509_crt_get_issuer_dn (cert, dn, &size); 1089 GNUTLS_TRACE( gnutls_x509_crt_get_issuer_dn (cert, dn, &size) );
1090 fd_log_debug("\t - Issuer's DN: %s\n", dn); 1090 fd_log_debug("\t - Issuer's DN: %s\n", dn);
1091 1091
1092 gnutls_x509_crt_deinit (cert); 1092 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) );
1093 } 1093 }
1094 } 1094 }
1095 1095
1096 /* Check validity of all the certificates */ 1096 /* Check validity of all the certificates */
1097 for (i = 0; i < cert_list_size; i++) 1097 for (i = 0; i < cert_list_size; i++)
1099 time_t deadline; 1099 time_t deadline;
1100 1100
1101 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); 1101 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL);
1102 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); 1102 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL);
1103 1103
1104 deadline = gnutls_x509_crt_get_expiration_time(cert); 1104 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) );
1105 if ((deadline != (time_t)-1) && (deadline < now)) { 1105 if ((deadline != (time_t)-1) && (deadline < now)) {
1106 if (TRACE_BOOL(INFO)) { 1106 if (TRACE_BOOL(INFO)) {
1107 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); 1107 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id);
1108 fd_log_debug(" - The certificate %d in the chain is expired\n", i); 1108 fd_log_debug(" - The certificate %d in the chain is expired\n", i);
1109 } 1109 }
1110 return EINVAL; 1110 return EINVAL;
1111 } 1111 }
1112 1112
1113 deadline = gnutls_x509_crt_get_activation_time(cert); 1113 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) );
1114 if ((deadline != (time_t)-1) && (deadline > now)) { 1114 if ((deadline != (time_t)-1) && (deadline > now)) {
1115 if (TRACE_BOOL(INFO)) { 1115 if (TRACE_BOOL(INFO)) {
1116 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); 1116 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id);
1117 fd_log_debug(" - The certificate %d in the chain is not yet activated\n", i); 1117 fd_log_debug(" - The certificate %d in the chain is not yet activated\n", i);
1118 } 1118 }
1127 } 1127 }
1128 return EINVAL; 1128 return EINVAL;
1129 } 1129 }
1130 } 1130 }
1131 1131
1132 gnutls_x509_crt_deinit (cert); 1132 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) );
1133 } 1133 }
1134 1134
1135 return 0; 1135 return 0;
1136 } 1136 }
1137 1137
1162 /* Initialize the wrapper, start the demux thread */ 1162 /* Initialize the wrapper, start the demux thread */
1163 CHECK_FCT( fd_sctps_init(conn) ); 1163 CHECK_FCT( fd_sctps_init(conn) );
1164 #endif /* DISABLE_SCTP */ 1164 #endif /* DISABLE_SCTP */
1165 } else { 1165 } else {
1166 /* Set the transport pointer passed to push & pull callbacks */ 1166 /* Set the transport pointer passed to push & pull callbacks */
1167 gnutls_transport_set_ptr( conn->cc_tls_para.session, (gnutls_transport_ptr_t) conn ); 1167 GNUTLS_TRACE( gnutls_transport_set_ptr( conn->cc_tls_para.session, (gnutls_transport_ptr_t) conn ) );
1168 1168
1169 /* Set the push and pull callbacks */ 1169 /* Set the push and pull callbacks */
1170 gnutls_transport_set_pull_function(conn->cc_tls_para.session, (void *)fd_cnx_s_recv); 1170 GNUTLS_TRACE( gnutls_transport_set_pull_function(conn->cc_tls_para.session, (void *)fd_cnx_s_recv) );
1171 gnutls_transport_set_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_send); 1171 GNUTLS_TRACE( gnutls_transport_set_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_send) );
1172 } 1172 }
1173 1173
1174 /* Mark the connection as protected from here, so that the gnutls credentials will be freed */ 1174 /* Mark the connection as protected from here, so that the gnutls credentials will be freed */
1175 conn->cc_status |= CC_STATUS_TLS; 1175 conn->cc_status |= CC_STATUS_TLS;
1176 1176
1219 CHECK_PARAMS( conn && (conn->cc_status & CC_STATUS_TLS) && cert_list && cert_list_size ); 1219 CHECK_PARAMS( conn && (conn->cc_status & CC_STATUS_TLS) && cert_list && cert_list_size );
1220 1220
1221 /* This function only works for X.509 certificates. */ 1221 /* This function only works for X.509 certificates. */
1222 CHECK_PARAMS( gnutls_certificate_type_get (conn->cc_tls_para.session) == GNUTLS_CRT_X509 ); 1222 CHECK_PARAMS( gnutls_certificate_type_get (conn->cc_tls_para.session) == GNUTLS_CRT_X509 );
1223 1223
1224 *cert_list = gnutls_certificate_get_peers (conn->cc_tls_para.session, cert_list_size); 1224 GNUTLS_TRACE( *cert_list = gnutls_certificate_get_peers (conn->cc_tls_para.session, cert_list_size) );
1225 if (*cert_list == NULL) { 1225 if (*cert_list == NULL) {
1226 TRACE_DEBUG(INFO, "No certificate was provided by remote peer / an error occurred."); 1226 TRACE_DEBUG(INFO, "No certificate was provided by remote peer / an error occurred.");
1227 return EINVAL; 1227 return EINVAL;
1228 } 1228 }
1229 1229
1404 } 1404 }
1405 1405
1406 /* Deinit gnutls resources */ 1406 /* Deinit gnutls resources */
1407 fd_sctps_gnutls_deinit_others(conn); 1407 fd_sctps_gnutls_deinit_others(conn);
1408 if (conn->cc_tls_para.session) { 1408 if (conn->cc_tls_para.session) {
1409 gnutls_deinit(conn->cc_tls_para.session); 1409 GNUTLS_TRACE( gnutls_deinit(conn->cc_tls_para.session) );
1410 conn->cc_tls_para.session = NULL; 1410 conn->cc_tls_para.session = NULL;
1411 } 1411 }
1412 1412
1413 /* Destroy the wrapper (also stops the demux thread) */ 1413 /* Destroy the wrapper (also stops the demux thread) */
1414 fd_sctps_destroy(conn); 1414 fd_sctps_destroy(conn);
1432 CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */ ); 1432 CHECK_FCT_DO( fd_thr_term(&conn->cc_rcvthr), /* continue */ );
1433 } 1433 }
1434 1434
1435 /* Free the resources of the TLS session */ 1435 /* Free the resources of the TLS session */
1436 if (conn->cc_tls_para.session) { 1436 if (conn->cc_tls_para.session) {
1437 gnutls_deinit(conn->cc_tls_para.session); 1437 GNUTLS_TRACE( gnutls_deinit(conn->cc_tls_para.session) );
1438 conn->cc_tls_para.session = NULL; 1438 conn->cc_tls_para.session = NULL;
1439 } 1439 }
1440 1440
1441 #ifndef DISABLE_SCTP 1441 #ifndef DISABLE_SCTP
1442 } 1442 }
"Welcome to our mercurial repository"