Changeset 1256:bd6b40c9f731 in freeDiameter for libfdcore
- Timestamp:
- Feb 2, 2014, 7:06:43 PM (10 years ago)
- Branch:
- default
- Children:
- 1257:55d0867dd8b8, 1258:97caad40b665
- Phase:
- public
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
libfdcore/cnxctx.c
r1211 r1256 1190 1190 gnutls_credentials_type_t cred; 1191 1191 1192 LOG_ A("TLS Session information for connection '%s':", conn->cc_id);1192 LOG_D("TLS Session information for connection '%s':", conn->cc_id); 1193 1193 1194 1194 /* print the key exchange's algorithm name */ 1195 1195 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); 1196 1196 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); 1197 LOG_ A("\t - Key Exchange: %s", tmp);1197 LOG_D("\t - Key Exchange: %s", tmp); 1198 1198 1199 1199 /* Check the authentication type used and switch … … 1203 1203 { 1204 1204 case GNUTLS_CRD_IA: 1205 LOG_ A("\t - TLS/IA session");1205 LOG_D("\t - TLS/IA session"); 1206 1206 break; 1207 1207 … … 1209 1209 /* This returns NULL in server side. */ 1210 1210 if (gnutls_psk_client_get_hint (session) != NULL) 1211 LOG_ A("\t - PSK authentication. PSK hint '%s'",1211 LOG_D("\t - PSK authentication. PSK hint '%s'", 1212 1212 gnutls_psk_client_get_hint (session)); 1213 1213 /* This returns NULL in client side. */ 1214 1214 if (gnutls_psk_server_get_username (session) != NULL) 1215 LOG_ A("\t - PSK authentication. Connected as '%s'",1215 LOG_D("\t - PSK authentication. Connected as '%s'", 1216 1216 gnutls_psk_server_get_username (session)); 1217 1217 break; 1218 1218 1219 1219 case GNUTLS_CRD_ANON: /* anonymous authentication */ 1220 LOG_ A("\t - Anonymous DH using prime of %d bits",1220 LOG_D("\t - Anonymous DH using prime of %d bits", 1221 1221 gnutls_dh_get_prime_bits (session)); 1222 1222 break; … … 1225 1225 /* Check if we have been using ephemeral Diffie-Hellman. */ 1226 1226 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { 1227 LOG_ A("\t - Ephemeral DH using prime of %d bits",1227 LOG_D("\t - Ephemeral DH using prime of %d bits", 1228 1228 gnutls_dh_get_prime_bits (session)); 1229 1229 } … … 1231 1231 #ifdef ENABLE_SRP 1232 1232 case GNUTLS_CRD_SRP: 1233 LOG_ A("\t - SRP session with username %s",1233 LOG_D("\t - SRP session with username %s", 1234 1234 gnutls_srp_server_get_username (session)); 1235 1235 break; … … 1244 1244 /* print the protocol's name (ie TLS 1.0) */ 1245 1245 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); 1246 LOG_ A("\t - Protocol: %s", tmp);1246 LOG_D("\t - Protocol: %s", tmp); 1247 1247 1248 1248 /* print the certificate type of the peer. ie X.509 */ 1249 1249 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); 1250 LOG_ A("\t - Certificate Type: %s", tmp);1250 LOG_D("\t - Certificate Type: %s", tmp); 1251 1251 1252 1252 /* print the compression algorithm (if any) */ 1253 1253 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); 1254 LOG_ A("\t - Compression: %s", tmp);1254 LOG_D("\t - Compression: %s", tmp); 1255 1255 1256 1256 /* print the name of the cipher used. ie 3DES. */ 1257 1257 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); 1258 LOG_ A("\t - Cipher: %s", tmp);1258 LOG_D("\t - Cipher: %s", tmp); 1259 1259 1260 1260 /* Print the MAC algorithms name. ie SHA1 */ 1261 1261 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); 1262 LOG_ A("\t - MAC: %s", tmp);1262 LOG_D("\t - MAC: %s", tmp); 1263 1263 } 1264 1264 #endif /* DEBUG */ … … 1267 1267 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, >ret), return EINVAL ); 1268 1268 if (gtret) { 1269 if (TRACE_BOOL(INFO)) { 1270 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1271 if (gtret & GNUTLS_CERT_INVALID) 1272 fd_log_debug(" - The certificate is not trusted (unknown CA? expired?)"); 1273 if (gtret & GNUTLS_CERT_REVOKED) 1274 fd_log_debug(" - The certificate has been revoked."); 1275 if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND) 1276 fd_log_debug(" - The certificate hasn't got a known issuer."); 1277 if (gtret & GNUTLS_CERT_SIGNER_NOT_CA) 1278 fd_log_debug(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); 1279 if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM) 1280 fd_log_debug(" - The certificate signature uses a weak algorithm."); 1281 } 1269 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1270 if (gtret & GNUTLS_CERT_INVALID) 1271 LOG_E(" - The certificate is not trusted (unknown CA? expired?)"); 1272 if (gtret & GNUTLS_CERT_REVOKED) 1273 LOG_E(" - The certificate has been revoked."); 1274 if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND) 1275 LOG_E(" - The certificate hasn't got a known issuer."); 1276 if (gtret & GNUTLS_CERT_SIGNER_NOT_CA) 1277 LOG_E(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); 1278 if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM) 1279 LOG_E(" - The certificate signature uses a weak algorithm."); 1282 1280 return EINVAL; 1283 1281 } 1284 1282 1285 1283 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ 1286 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) 1284 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { 1285 LOG_E("TLS: Remote peer did not present a certificate, other mechanisms are not supported yet. socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1287 1286 return EINVAL; 1287 } 1288 1288 1289 1289 GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) ); … … 1360 1360 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) ); 1361 1361 if ((deadline != (time_t)-1) && (deadline < now)) { 1362 if (TRACE_BOOL(INFO)) { 1363 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1364 fd_log_debug(" - The certificate %d in the chain is expired", i); 1365 } 1362 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1363 LOG_E(" - The certificate %d in the chain is expired", i); 1366 1364 ret = EINVAL; 1367 1365 } … … 1369 1367 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) ); 1370 1368 if ((deadline != (time_t)-1) && (deadline > now)) { 1371 if (TRACE_BOOL(INFO)) { 1372 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1373 fd_log_debug(" - The certificate %d in the chain is not yet activated", i); 1374 } 1369 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1370 LOG_E(" - The certificate %d in the chain is not yet activated", i); 1375 1371 ret = EINVAL; 1376 1372 } … … 1378 1374 if ((i == 0) && (conn->cc_tls_para.cn)) { 1379 1375 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { 1380 if (TRACE_BOOL(INFO)) { 1381 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1382 fd_log_debug(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); 1383 } 1376 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1377 LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); 1384 1378 ret = EINVAL; 1385 1379 } … … 1425 1419 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); 1426 1420 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); 1427 LOG_ A("\t- Key Exchange: %s", tmp);1421 LOG_D("\t- Key Exchange: %s", tmp); 1428 1422 1429 1423 /* Check the authentication type used and switch … … 1434 1428 { 1435 1429 case GNUTLS_CRD_IA: 1436 LOG_ A("\t - TLS/IA session");1430 LOG_D("\t - TLS/IA session"); 1437 1431 break; 1438 1432 … … 1440 1434 #ifdef ENABLE_SRP 1441 1435 case GNUTLS_CRD_SRP: 1442 LOG_ A("\t - SRP session with username %s",1436 LOG_D("\t - SRP session with username %s", 1443 1437 gnutls_srp_server_get_username (session)); 1444 1438 break; … … 1449 1443 */ 1450 1444 if (gnutls_psk_client_get_hint (session) != NULL) 1451 LOG_ A("\t - PSK authentication. PSK hint '%s'",1445 LOG_D("\t - PSK authentication. PSK hint '%s'", 1452 1446 gnutls_psk_client_get_hint (session)); 1453 1447 /* This returns NULL in client side. 1454 1448 */ 1455 1449 if (gnutls_psk_server_get_username (session) != NULL) 1456 LOG_ A("\t - PSK authentication. Connected as '%s'",1450 LOG_D("\t - PSK authentication. Connected as '%s'", 1457 1451 gnutls_psk_server_get_username (session)); 1458 1452 … … 1464 1458 1465 1459 case GNUTLS_CRD_ANON: /* anonymous authentication */ 1466 LOG_ A("\t - Anonymous DH using prime of %d bits",1460 LOG_D("\t - Anonymous DH using prime of %d bits", 1467 1461 gnutls_dh_get_prime_bits (session)); 1468 1462 if (kx == GNUTLS_KX_ANON_ECDH) … … 1487 1481 cert_list = gnutls_certificate_get_peers (session, &cert_list_size); 1488 1482 1489 LOG_ A("\t Peer provided %d certificates.", cert_list_size);1483 LOG_D("\t Peer provided %d certificates.", cert_list_size); 1490 1484 1491 1485 if (cert_list_size > 0) … … 1507 1501 if (ret == 0) 1508 1502 { 1509 LOG_ A("\t\t%s", cinfo.data);1503 LOG_D("\t\t%s", cinfo.data); 1510 1504 gnutls_free (cinfo.data); 1511 1505 } … … 1513 1507 if (conn->cc_tls_para.cn) { 1514 1508 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { 1515 fd_log_debug("\tTLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);1516 fd_log_debug("\t - The certificate hostname does not match '%s'", conn->cc_tls_para.cn);1509 LOG_E("\tTLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1510 LOG_E("\t - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); 1517 1511 gnutls_x509_crt_deinit (cert); 1518 1512 return GNUTLS_E_CERTIFICATE_ERROR; … … 1530 1524 1531 1525 default: 1532 LOG_ A("\t - unknown session type (%d)", cred);1526 LOG_E("\t - unknown session type (%d)", cred); 1533 1527 1534 1528 } /* switch */ 1535 1529 1536 1530 if (ecdh != 0) 1537 LOG_ A("\t - Ephemeral ECDH using curve %s",1531 LOG_D("\t - Ephemeral ECDH using curve %s", 1538 1532 gnutls_ecc_curve_get_name (gnutls_ecc_curve_get (session))); 1539 1533 else if (dhe != 0) 1540 LOG_ A("\t - Ephemeral DH using prime of %d bits",1534 LOG_D("\t - Ephemeral DH using prime of %d bits", 1541 1535 gnutls_dh_get_prime_bits (session)); 1542 1536 … … 1544 1538 */ 1545 1539 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); 1546 LOG_ A("\t - Protocol: %s", tmp);1540 LOG_D("\t - Protocol: %s", tmp); 1547 1541 1548 1542 /* print the certificate type of the peer. … … 1550 1544 */ 1551 1545 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); 1552 LOG_ A("\t - Certificate Type: %s", tmp);1546 LOG_D("\t - Certificate Type: %s", tmp); 1553 1547 1554 1548 /* print the compression algorithm (if any) 1555 1549 */ 1556 1550 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); 1557 LOG_ A("\t - Compression: %s", tmp);1551 LOG_D("\t - Compression: %s", tmp); 1558 1552 1559 1553 /* print the name of the cipher used. … … 1561 1555 */ 1562 1556 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); 1563 LOG_ A("\t - Cipher: %s", tmp);1557 LOG_D("\t - Cipher: %s", tmp); 1564 1558 1565 1559 /* Print the MAC algorithms name. … … 1567 1561 */ 1568 1562 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); 1569 LOG_ A("\t - MAC: %s", tmp);1563 LOG_D("\t - MAC: %s", tmp); 1570 1564 1571 1565 #endif /* DEBUG */ … … 1575 1569 */ 1576 1570 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &status), return GNUTLS_E_CERTIFICATE_ERROR ); 1577 if ( TRACE_BOOL(INFO) && (status & GNUTLS_CERT_INVALID)) {1578 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);1571 if (status & GNUTLS_CERT_INVALID) { 1572 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1579 1573 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) 1580 fd_log_debug(" - The certificate hasn't got a known issuer.");1574 LOG_E(" - The certificate hasn't got a known issuer."); 1581 1575 1582 1576 if (status & GNUTLS_CERT_REVOKED) 1583 fd_log_debug(" - The certificate has been revoked.");1577 LOG_E(" - The certificate has been revoked."); 1584 1578 1585 1579 if (status & GNUTLS_CERT_EXPIRED) 1586 fd_log_debug(" - The certificate has expired.");1580 LOG_E(" - The certificate has expired."); 1587 1581 1588 1582 if (status & GNUTLS_CERT_NOT_ACTIVATED) 1589 fd_log_debug(" - The certificate is not yet activated.");1583 LOG_E(" - The certificate is not yet activated."); 1590 1584 } 1591 1585 if (status & GNUTLS_CERT_INVALID) … … 1600 1594 if ((!hostname_verified) && (conn->cc_tls_para.cn)) { 1601 1595 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { 1602 TRACE_DEBUG(INFO,"TLS: Remote credentials are not x509, rejected on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id);1596 LOG_E("TLS: Remote credentials are not x509, rejected on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1603 1597 return GNUTLS_E_CERTIFICATE_ERROR; 1604 1598 } … … 1612 1606 1613 1607 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { 1614 if (TRACE_BOOL(INFO)) { 1615 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1616 fd_log_debug(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); 1617 } 1608 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); 1609 LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); 1618 1610 gnutls_x509_crt_deinit (cert); 1619 1611 return GNUTLS_E_CERTIFICATE_ERROR;
Note: See TracChangeset
for help on using the changeset viewer.