Mercurial > hg > freeDiameter

comparison libfdcore/cnxctx.c @ 1256:bd6b40c9f731

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix messages display level on TLS errors
author Sebastien Decugis <sdecugis@freediameter.net>
date Sun, 02 Feb 2014 18:06:43 +0800
parents 98478a8aabb1
children 25fad6714991
comparison
equal deleted inserted replaced
1255:c6a4bda62ccc 1256:bd6b40c9f731
1187 if (verbose) { 1187 if (verbose) {
1188 const char *tmp; 1188 const char *tmp;
1189 gnutls_kx_algorithm_t kx; 1189 gnutls_kx_algorithm_t kx;
1190 gnutls_credentials_type_t cred; 1190 gnutls_credentials_type_t cred;
1191 1191
1192 LOG_A("TLS Session information for connection '%s':", conn->cc_id); 1192 LOG_D("TLS Session information for connection '%s':", conn->cc_id);
1193 1193
1194 /* print the key exchange's algorithm name */ 1194 /* print the key exchange's algorithm name */
1195 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); 1195 GNUTLS_TRACE( kx = gnutls_kx_get (session) );
1196 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); 1196 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) );
1197 LOG_A("\t - Key Exchange: %s", tmp); 1197 LOG_D("\t - Key Exchange: %s", tmp);
1198 1198
1199 /* Check the authentication type used and switch 1199 /* Check the authentication type used and switch
1200 * to the appropriate. */ 1200 * to the appropriate. */
1201 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); 1201 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) );
1202 switch (cred) 1202 switch (cred)
1203 { 1203 {
1204 case GNUTLS_CRD_IA: 1204 case GNUTLS_CRD_IA:
1205 LOG_A("\t - TLS/IA session"); 1205 LOG_D("\t - TLS/IA session");
1206 break; 1206 break;
1207 1207
1208 case GNUTLS_CRD_PSK: 1208 case GNUTLS_CRD_PSK:
1209 /* This returns NULL in server side. */ 1209 /* This returns NULL in server side. */
1210 if (gnutls_psk_client_get_hint (session) != NULL) 1210 if (gnutls_psk_client_get_hint (session) != NULL)
1211 LOG_A("\t - PSK authentication. PSK hint '%s'", 1211 LOG_D("\t - PSK authentication. PSK hint '%s'",
1212 gnutls_psk_client_get_hint (session)); 1212 gnutls_psk_client_get_hint (session));
1213 /* This returns NULL in client side. */ 1213 /* This returns NULL in client side. */
1214 if (gnutls_psk_server_get_username (session) != NULL) 1214 if (gnutls_psk_server_get_username (session) != NULL)
1215 LOG_A("\t - PSK authentication. Connected as '%s'", 1215 LOG_D("\t - PSK authentication. Connected as '%s'",
1216 gnutls_psk_server_get_username (session)); 1216 gnutls_psk_server_get_username (session));
1217 break; 1217 break;
1218 1218
1219 case GNUTLS_CRD_ANON: /* anonymous authentication */ 1219 case GNUTLS_CRD_ANON: /* anonymous authentication */
1220 LOG_A("\t - Anonymous DH using prime of %d bits", 1220 LOG_D("\t - Anonymous DH using prime of %d bits",
1221 gnutls_dh_get_prime_bits (session)); 1221 gnutls_dh_get_prime_bits (session));
1222 break; 1222 break;
1223 1223
1224 case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */ 1224 case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */
1225 /* Check if we have been using ephemeral Diffie-Hellman. */ 1225 /* Check if we have been using ephemeral Diffie-Hellman. */
1226 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { 1226 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) {
1227 LOG_A("\t - Ephemeral DH using prime of %d bits", 1227 LOG_D("\t - Ephemeral DH using prime of %d bits",
1228 gnutls_dh_get_prime_bits (session)); 1228 gnutls_dh_get_prime_bits (session));
1229 } 1229 }
1230 break; 1230 break;
1231 #ifdef ENABLE_SRP 1231 #ifdef ENABLE_SRP
1232 case GNUTLS_CRD_SRP: 1232 case GNUTLS_CRD_SRP:
1233 LOG_A("\t - SRP session with username %s", 1233 LOG_D("\t - SRP session with username %s",
1234 gnutls_srp_server_get_username (session)); 1234 gnutls_srp_server_get_username (session));
1235 break; 1235 break;
1236 #endif /* ENABLE_SRP */ 1236 #endif /* ENABLE_SRP */
1237 1237
1238 default: 1238 default:
1241 1241
1242 } 1242 }
1243 1243
1244 /* print the protocol's name (ie TLS 1.0) */ 1244 /* print the protocol's name (ie TLS 1.0) */
1245 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); 1245 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
1246 LOG_A("\t - Protocol: %s", tmp); 1246 LOG_D("\t - Protocol: %s", tmp);
1247 1247
1248 /* print the certificate type of the peer. ie X.509 */ 1248 /* print the certificate type of the peer. ie X.509 */
1249 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); 1249 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session));
1250 LOG_A("\t - Certificate Type: %s", tmp); 1250 LOG_D("\t - Certificate Type: %s", tmp);
1251 1251
1252 /* print the compression algorithm (if any) */ 1252 /* print the compression algorithm (if any) */
1253 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); 1253 tmp = gnutls_compression_get_name (gnutls_compression_get (session));
1254 LOG_A("\t - Compression: %s", tmp); 1254 LOG_D("\t - Compression: %s", tmp);
1255 1255
1256 /* print the name of the cipher used. ie 3DES. */ 1256 /* print the name of the cipher used. ie 3DES. */
1257 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); 1257 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
1258 LOG_A("\t - Cipher: %s", tmp); 1258 LOG_D("\t - Cipher: %s", tmp);
1259 1259
1260 /* Print the MAC algorithms name. ie SHA1 */ 1260 /* Print the MAC algorithms name. ie SHA1 */
1261 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); 1261 tmp = gnutls_mac_get_name (gnutls_mac_get (session));
1262 LOG_A("\t - MAC: %s", tmp); 1262 LOG_D("\t - MAC: %s", tmp);
1263 } 1263 }
1264 #endif /* DEBUG */ 1264 #endif /* DEBUG */
1265 1265
1266 /* First, use built-in verification */ 1266 /* First, use built-in verification */
1267 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &gtret), return EINVAL ); 1267 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &gtret), return EINVAL );
1268 if (gtret) { 1268 if (gtret) {
1269 if (TRACE_BOOL(INFO)) { 1269 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1270 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1270 if (gtret & GNUTLS_CERT_INVALID)
1271 if (gtret & GNUTLS_CERT_INVALID) 1271 LOG_E(" - The certificate is not trusted (unknown CA? expired?)");
1272 fd_log_debug(" - The certificate is not trusted (unknown CA? expired?)"); 1272 if (gtret & GNUTLS_CERT_REVOKED)
1273 if (gtret & GNUTLS_CERT_REVOKED) 1273 LOG_E(" - The certificate has been revoked.");
1274 fd_log_debug(" - The certificate has been revoked."); 1274 if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND)
1275 if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND) 1275 LOG_E(" - The certificate hasn't got a known issuer.");
1276 fd_log_debug(" - The certificate hasn't got a known issuer."); 1276 if (gtret & GNUTLS_CERT_SIGNER_NOT_CA)
1277 if (gtret & GNUTLS_CERT_SIGNER_NOT_CA) 1277 LOG_E(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.");
1278 fd_log_debug(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); 1278 if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM)
1279 if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM) 1279 LOG_E(" - The certificate signature uses a weak algorithm.");
1280 fd_log_debug(" - The certificate signature uses a weak algorithm.");
1281 }
1282 return EINVAL; 1280 return EINVAL;
1283 } 1281 }
1284 1282
1285 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ 1283 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */
1286 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) 1284 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
1285 LOG_E("TLS: Remote peer did not present a certificate, other mechanisms are not supported yet. socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1287 return EINVAL; 1286 return EINVAL;
1287 }
1288 1288
1289 GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) ); 1289 GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) );
1290 if (cert_list == NULL) 1290 if (cert_list == NULL)
1291 return EINVAL; 1291 return EINVAL;
1292 1292
1357 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); 1357 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL);
1358 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); 1358 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL);
1359 1359
1360 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) ); 1360 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) );
1361 if ((deadline != (time_t)-1) && (deadline < now)) { 1361 if ((deadline != (time_t)-1) && (deadline < now)) {
1362 if (TRACE_BOOL(INFO)) { 1362 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1363 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1363 LOG_E(" - The certificate %d in the chain is expired", i);
1364 fd_log_debug(" - The certificate %d in the chain is expired", i);
1365 }
1366 ret = EINVAL; 1364 ret = EINVAL;
1367 } 1365 }
1368 1366
1369 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) ); 1367 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) );
1370 if ((deadline != (time_t)-1) && (deadline > now)) { 1368 if ((deadline != (time_t)-1) && (deadline > now)) {
1371 if (TRACE_BOOL(INFO)) { 1369 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1372 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1370 LOG_E(" - The certificate %d in the chain is not yet activated", i);
1373 fd_log_debug(" - The certificate %d in the chain is not yet activated", i);
1374 }
1375 ret = EINVAL; 1371 ret = EINVAL;
1376 } 1372 }
1377 1373
1378 if ((i == 0) && (conn->cc_tls_para.cn)) { 1374 if ((i == 0) && (conn->cc_tls_para.cn)) {
1379 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { 1375 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) {
1380 if (TRACE_BOOL(INFO)) { 1376 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1381 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1377 LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
1382 fd_log_debug(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
1383 }
1384 ret = EINVAL; 1378 ret = EINVAL;
1385 } 1379 }
1386 } 1380 }
1387 1381
1388 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) ); 1382 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) );
1422 1416
1423 /* print the key exchange's algorithm name 1417 /* print the key exchange's algorithm name
1424 */ 1418 */
1425 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); 1419 GNUTLS_TRACE( kx = gnutls_kx_get (session) );
1426 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); 1420 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) );
1427 LOG_A("\t- Key Exchange: %s", tmp); 1421 LOG_D("\t- Key Exchange: %s", tmp);
1428 1422
1429 /* Check the authentication type used and switch 1423 /* Check the authentication type used and switch
1430 * to the appropriate. 1424 * to the appropriate.
1431 */ 1425 */
1432 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); 1426 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) );
1433 switch (cred) 1427 switch (cred)
1434 { 1428 {
1435 case GNUTLS_CRD_IA: 1429 case GNUTLS_CRD_IA:
1436 LOG_A("\t - TLS/IA session"); 1430 LOG_D("\t - TLS/IA session");
1437 break; 1431 break;
1438 1432
1439 1433
1440 #ifdef ENABLE_SRP 1434 #ifdef ENABLE_SRP
1441 case GNUTLS_CRD_SRP: 1435 case GNUTLS_CRD_SRP:
1442 LOG_A("\t - SRP session with username %s", 1436 LOG_D("\t - SRP session with username %s",
1443 gnutls_srp_server_get_username (session)); 1437 gnutls_srp_server_get_username (session));
1444 break; 1438 break;
1445 #endif 1439 #endif
1446 1440
1447 case GNUTLS_CRD_PSK: 1441 case GNUTLS_CRD_PSK:
1448 /* This returns NULL in server side. 1442 /* This returns NULL in server side.
1449 */ 1443 */
1450 if (gnutls_psk_client_get_hint (session) != NULL) 1444 if (gnutls_psk_client_get_hint (session) != NULL)
1451 LOG_A("\t - PSK authentication. PSK hint '%s'", 1445 LOG_D("\t - PSK authentication. PSK hint '%s'",
1452 gnutls_psk_client_get_hint (session)); 1446 gnutls_psk_client_get_hint (session));
1453 /* This returns NULL in client side. 1447 /* This returns NULL in client side.
1454 */ 1448 */
1455 if (gnutls_psk_server_get_username (session) != NULL) 1449 if (gnutls_psk_server_get_username (session) != NULL)
1456 LOG_A("\t - PSK authentication. Connected as '%s'", 1450 LOG_D("\t - PSK authentication. Connected as '%s'",
1457 gnutls_psk_server_get_username (session)); 1451 gnutls_psk_server_get_username (session));
1458 1452
1459 if (kx == GNUTLS_KX_ECDHE_PSK) 1453 if (kx == GNUTLS_KX_ECDHE_PSK)
1460 ecdh = 1; 1454 ecdh = 1;
1461 else if (kx == GNUTLS_KX_DHE_PSK) 1455 else if (kx == GNUTLS_KX_DHE_PSK)
1462 dhe = 1; 1456 dhe = 1;
1463 break; 1457 break;
1464 1458
1465 case GNUTLS_CRD_ANON: /* anonymous authentication */ 1459 case GNUTLS_CRD_ANON: /* anonymous authentication */
1466 LOG_A("\t - Anonymous DH using prime of %d bits", 1460 LOG_D("\t - Anonymous DH using prime of %d bits",
1467 gnutls_dh_get_prime_bits (session)); 1461 gnutls_dh_get_prime_bits (session));
1468 if (kx == GNUTLS_KX_ANON_ECDH) 1462 if (kx == GNUTLS_KX_ANON_ECDH)
1469 ecdh = 1; 1463 ecdh = 1;
1470 else if (kx == GNUTLS_KX_ANON_DH) 1464 else if (kx == GNUTLS_KX_ANON_DH)
1471 dhe = 1; 1465 dhe = 1;
1484 if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509) { 1478 if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509) {
1485 gnutls_datum_t cinfo; 1479 gnutls_datum_t cinfo;
1486 1480
1487 cert_list = gnutls_certificate_get_peers (session, &cert_list_size); 1481 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
1488 1482
1489 LOG_A("\t Peer provided %d certificates.", cert_list_size); 1483 LOG_D("\t Peer provided %d certificates.", cert_list_size);
1490 1484
1491 if (cert_list_size > 0) 1485 if (cert_list_size > 0)
1492 { 1486 {
1493 int ret; 1487 int ret;
1494 1488
1504 a certificate. */ 1498 a certificate. */
1505 1499
1506 ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); 1500 ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo);
1507 if (ret == 0) 1501 if (ret == 0)
1508 { 1502 {
1509 LOG_A("\t\t%s", cinfo.data); 1503 LOG_D("\t\t%s", cinfo.data);
1510 gnutls_free (cinfo.data); 1504 gnutls_free (cinfo.data);
1511 } 1505 }
1512 1506
1513 if (conn->cc_tls_para.cn) { 1507 if (conn->cc_tls_para.cn) {
1514 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { 1508 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) {
1515 fd_log_debug("\tTLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1509 LOG_E("\tTLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1516 fd_log_debug("\t - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); 1510 LOG_E("\t - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
1517 gnutls_x509_crt_deinit (cert); 1511 gnutls_x509_crt_deinit (cert);
1518 return GNUTLS_E_CERTIFICATE_ERROR; 1512 return GNUTLS_E_CERTIFICATE_ERROR;
1519 } 1513 }
1520 1514
1521 } 1515 }
1527 } 1521 }
1528 } 1522 }
1529 break; 1523 break;
1530 1524
1531 default: 1525 default:
1532 LOG_A("\t - unknown session type (%d)", cred); 1526 LOG_E("\t - unknown session type (%d)", cred);
1533 1527
1534 } /* switch */ 1528 } /* switch */
1535 1529
1536 if (ecdh != 0) 1530 if (ecdh != 0)
1537 LOG_A("\t - Ephemeral ECDH using curve %s", 1531 LOG_D("\t - Ephemeral ECDH using curve %s",
1538 gnutls_ecc_curve_get_name (gnutls_ecc_curve_get (session))); 1532 gnutls_ecc_curve_get_name (gnutls_ecc_curve_get (session)));
1539 else if (dhe != 0) 1533 else if (dhe != 0)
1540 LOG_A("\t - Ephemeral DH using prime of %d bits", 1534 LOG_D("\t - Ephemeral DH using prime of %d bits",
1541 gnutls_dh_get_prime_bits (session)); 1535 gnutls_dh_get_prime_bits (session));
1542 1536
1543 /* print the protocol's name (ie TLS 1.0) 1537 /* print the protocol's name (ie TLS 1.0)
1544 */ 1538 */
1545 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); 1539 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
1546 LOG_A("\t - Protocol: %s", tmp); 1540 LOG_D("\t - Protocol: %s", tmp);
1547 1541
1548 /* print the certificate type of the peer. 1542 /* print the certificate type of the peer.
1549 * ie X.509 1543 * ie X.509
1550 */ 1544 */
1551 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); 1545 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session));
1552 LOG_A("\t - Certificate Type: %s", tmp); 1546 LOG_D("\t - Certificate Type: %s", tmp);
1553 1547
1554 /* print the compression algorithm (if any) 1548 /* print the compression algorithm (if any)
1555 */ 1549 */
1556 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); 1550 tmp = gnutls_compression_get_name (gnutls_compression_get (session));
1557 LOG_A("\t - Compression: %s", tmp); 1551 LOG_D("\t - Compression: %s", tmp);
1558 1552
1559 /* print the name of the cipher used. 1553 /* print the name of the cipher used.
1560 * ie 3DES. 1554 * ie 3DES.
1561 */ 1555 */
1562 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); 1556 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
1563 LOG_A("\t - Cipher: %s", tmp); 1557 LOG_D("\t - Cipher: %s", tmp);
1564 1558
1565 /* Print the MAC algorithms name. 1559 /* Print the MAC algorithms name.
1566 * ie SHA1 1560 * ie SHA1
1567 */ 1561 */
1568 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); 1562 tmp = gnutls_mac_get_name (gnutls_mac_get (session));
1569 LOG_A("\t - MAC: %s", tmp); 1563 LOG_D("\t - MAC: %s", tmp);
1570 1564
1571 #endif /* DEBUG */ 1565 #endif /* DEBUG */
1572 1566
1573 /* This verification function uses the trusted CAs in the credentials 1567 /* This verification function uses the trusted CAs in the credentials
1574 * structure. So you must have installed one or more CA certificates. 1568 * structure. So you must have installed one or more CA certificates.
1575 */ 1569 */
1576 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &status), return GNUTLS_E_CERTIFICATE_ERROR ); 1570 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &status), return GNUTLS_E_CERTIFICATE_ERROR );
1577 if (TRACE_BOOL(INFO) && (status & GNUTLS_CERT_INVALID)) { 1571 if (status & GNUTLS_CERT_INVALID) {
1578 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1572 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1579 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) 1573 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
1580 fd_log_debug(" - The certificate hasn't got a known issuer."); 1574 LOG_E(" - The certificate hasn't got a known issuer.");
1581 1575
1582 if (status & GNUTLS_CERT_REVOKED) 1576 if (status & GNUTLS_CERT_REVOKED)
1583 fd_log_debug(" - The certificate has been revoked."); 1577 LOG_E(" - The certificate has been revoked.");
1584 1578
1585 if (status & GNUTLS_CERT_EXPIRED) 1579 if (status & GNUTLS_CERT_EXPIRED)
1586 fd_log_debug(" - The certificate has expired."); 1580 LOG_E(" - The certificate has expired.");
1587 1581
1588 if (status & GNUTLS_CERT_NOT_ACTIVATED) 1582 if (status & GNUTLS_CERT_NOT_ACTIVATED)
1589 fd_log_debug(" - The certificate is not yet activated."); 1583 LOG_E(" - The certificate is not yet activated.");
1590 } 1584 }
1591 if (status & GNUTLS_CERT_INVALID) 1585 if (status & GNUTLS_CERT_INVALID)
1592 { 1586 {
1593 return GNUTLS_E_CERTIFICATE_ERROR; 1587 return GNUTLS_E_CERTIFICATE_ERROR;
1594 } 1588 }
1597 * OpenPGP keys. From now on X.509 certificates are assumed. This can 1591 * OpenPGP keys. From now on X.509 certificates are assumed. This can
1598 * be easily extended to work with openpgp keys as well. 1592 * be easily extended to work with openpgp keys as well.
1599 */ 1593 */
1600 if ((!hostname_verified) && (conn->cc_tls_para.cn)) { 1594 if ((!hostname_verified) && (conn->cc_tls_para.cn)) {
1601 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { 1595 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
1602 TRACE_DEBUG(INFO, "TLS: Remote credentials are not x509, rejected on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1596 LOG_E("TLS: Remote credentials are not x509, rejected on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1603 return GNUTLS_E_CERTIFICATE_ERROR; 1597 return GNUTLS_E_CERTIFICATE_ERROR;
1604 } 1598 }
1605 1599
1606 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return GNUTLS_E_CERTIFICATE_ERROR ); 1600 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return GNUTLS_E_CERTIFICATE_ERROR );
1607 1601
1609 CHECK_PARAMS_DO( cert_list, return GNUTLS_E_CERTIFICATE_ERROR ); 1603 CHECK_PARAMS_DO( cert_list, return GNUTLS_E_CERTIFICATE_ERROR );
1610 1604
1611 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER), return GNUTLS_E_CERTIFICATE_ERROR ); 1605 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER), return GNUTLS_E_CERTIFICATE_ERROR );
1612 1606
1613 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { 1607 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) {
1614 if (TRACE_BOOL(INFO)) { 1608 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);
1615 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1609 LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
1616 fd_log_debug(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);
1617 }
1618 gnutls_x509_crt_deinit (cert); 1610 gnutls_x509_crt_deinit (cert);
1619 return GNUTLS_E_CERTIFICATE_ERROR; 1611 return GNUTLS_E_CERTIFICATE_ERROR;
1620 } 1612 }
1621 1613
1622 gnutls_x509_crt_deinit (cert); 1614 gnutls_x509_crt_deinit (cert);
"Welcome to our mercurial repository"