From: Andreas Steffen Date: Wed, 19 Mar 2008 12:06:38 +0000 (-0000) Subject: attempt to achieve consistent debugging output X-Git-Tag: 4.2.0~122 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae8715f956bb8e5d1c98a45b3f7ce8e155a0898f;p=thirdparty%2Fstrongswan.git attempt to achieve consistent debugging output --- diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 6642c193f7..a3235bd04a 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -410,11 +410,8 @@ static ocsp_wrapper_t *ocsp_wrapper_create(ocsp_response_t *response) static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url, certificate_t *subject, certificate_t *issuer) { - certificate_t *request, *response, *issuer_cert; + certificate_t *request, *response; chunk_t send, receive; - identification_t *responder; - auth_info_t *auth; - ocsp_wrapper_t *wrapper; /* TODO: requestor name, signature */ request = lib->creds->create(lib->creds, @@ -429,6 +426,8 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url, send = request->get_encoding(request); request->destroy(request); + + DBG1(DBG_CFG, "requesting ocsp response from '%s' ...", url); if (lib->fetcher->fetch(lib->fetcher, url, &receive, FETCH_REQUEST_DATA, send, FETCH_REQUEST_TYPE, "application/ocsp-request", @@ -449,29 +448,40 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url, return NULL; } - responder = response->get_issuer(response); - auth = auth_info_create(); - wrapper = ocsp_wrapper_create((ocsp_response_t*)response); - this->sets->insert_first(this->sets, wrapper); - issuer_cert = get_trusted_cert(this, KEY_ANY, responder, auth, FALSE, FALSE); - this->sets->remove(this->sets, wrapper, NULL); - free(wrapper); - auth->destroy(auth); - if (!issuer_cert) - { - DBG1(DBG_CFG, " ocsp response untrusted: no signer certificate found"); - response->destroy(response); - return NULL; - } - if (!response->issued_by(response, issuer_cert, TRUE)) + + /* verify the signature of the ocsp response */ { - DBG1(DBG_CFG, " ocsp response untrusted: bad signature"); - response->destroy(response); + certificate_t *issuer_cert; + identification_t *responder; + auth_info_t *auth; + ocsp_wrapper_t *wrapper; + bool ok; + + auth = auth_info_create(); + wrapper = ocsp_wrapper_create((ocsp_response_t*)response); + this->sets->insert_first(this->sets, wrapper); + responder = response->get_issuer(response); + issuer_cert = get_trusted_cert(this, KEY_ANY, responder, auth, FALSE, FALSE); + this->sets->remove(this->sets, wrapper, NULL); + free(wrapper); + auth->destroy(auth); + + if (!issuer_cert) + { + DBG1(DBG_CFG, " ocsp response untrusted: no signer certificate found"); + response->destroy(response); + return NULL; + } + ok = response->issued_by(response, issuer_cert, TRUE); issuer_cert->destroy(issuer_cert); - return NULL; + DBG1(DBG_CFG, " ocsp response is %strusted: %s signature", + ok ? "":"un", ok ? "good" : "bad"); + if (ok) + { + response->destroy(response); + return NULL; + } } - issuer_cert->destroy(issuer_cert); - /* TODO: cache response? */ return response; } @@ -863,7 +873,7 @@ static bool check_certificate(private_credential_manager_t *this, } if (issuer && !subject->issued_by(subject, issuer, TRUE)) { - DBG1(DBG_CFG, "certificate %D not issued by %D", + DBG1(DBG_CFG, "certificate not issued by \"%D\"", subject->get_subject(subject), issuer->get_subject(issuer)); return FALSE; } @@ -1055,8 +1065,8 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this, public = subject->get_public_key(subject); if (public) { - DBG2(DBG_CFG, "using trusted certificate %D", - subject->get_subject(subject)); + DBG1(DBG_CFG, " using trusted certificate \"%D\"", + subject->get_subject(subject)); this->sets->remove(this->sets, wrapper, NULL); free(wrapper); this->mutex->unlock(this->mutex); @@ -1076,7 +1086,7 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this, subject = get_cert(this, CERT_ANY, type, id, FALSE); if (!subject) { - DBG1(DBG_CFG, "no end entity certificate found for %D", id); + DBG1(DBG_CFG, "no end entity certificate found for \"%D\"", id); } else { @@ -1093,7 +1103,7 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this, issuer == subject ? auth2 : NULL) && check_certificate(this, candidate, NULL, crl, ocsp, NULL)) { - DBG2(DBG_CFG, "using trusted root CA certificate %D", + DBG1(DBG_CFG, " using trusted root ca certificate \"%D\"", candidate->get_subject(candidate)); issuer = candidate; trusted = TRUE; @@ -1120,13 +1130,13 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this, { if (issuer != subject) { - DBG2(DBG_CFG, "using intermediate CA certificate %D", + DBG1(DBG_CFG, " using intermediate ca certificate \"%D\"", candidate->get_subject(candidate)); auth1->add_item(auth1, AUTHZ_IM_CERT, candidate); } else { - DBG2(DBG_CFG, "using end entity certificate %D", + DBG1(DBG_CFG, " using end entity certificate \"%D\"", candidate->get_subject(candidate)); } issuer = candidate; diff --git a/src/charon/sa/authenticators/rsa_authenticator.c b/src/charon/sa/authenticators/rsa_authenticator.c index becef18417..9f34d51db3 100644 --- a/src/charon/sa/authenticators/rsa_authenticator.c +++ b/src/charon/sa/authenticators/rsa_authenticator.c @@ -81,7 +81,7 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init, * TODO: allow other hash algorithms and note it in "auth" */ if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, octets, auth_data)) { - DBG1(DBG_IKE, "authentication of %D with %N successful", + DBG1(DBG_IKE, "authentication of '%D' with %N successful", other_id, auth_method_names, AUTH_RSA); status = SUCCESS; } @@ -89,7 +89,7 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init, } else { - DBG1(DBG_IKE, "no trusted public key found for %D", other_id); + DBG1(DBG_IKE, "no trusted public key found for '%D'", other_id); } chunk_free(&octets); return status; @@ -109,7 +109,7 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init, auth_info_t *auth; my_id = this->ike_sa->get_my_id(this->ike_sa); - DBG1(DBG_IKE, "authentication of %D (myself) with %N", + DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", my_id, auth_method_names, AUTH_RSA); auth = this->ike_sa->get_my_auth(this->ike_sa); @@ -117,7 +117,7 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init, my_id, auth); if (private == NULL) { - DBG1(DBG_IKE, "no RSA private key found for %D", my_id); + DBG1(DBG_IKE, "no RSA private key found for '%D'", my_id); return NOT_FOUND; } prf = this->ike_sa->get_prf(this->ike_sa); diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 11382047a7..b96371bcfa 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -187,7 +187,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) if (auth == NULL) { - SIG(IKE_UP_FAILED, "authentication method %N used by %D not " + SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not " "supported", auth_method_names, auth_method, this->ike_sa->get_other_id(this->ike_sa)); return NOT_SUPPORTED; @@ -228,7 +228,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) req = this->ike_sa->get_other_id(this->ike_sa); if (!id->matches(id, req)) { - SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req); + SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req); id->destroy(id); return FAILED; } @@ -316,12 +316,12 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message) if (!this->initiator) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D", + SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", this->ike_sa->get_name(this->ike_sa), - this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa)); + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa)); return SUCCESS; } return NEED_MORE; @@ -362,12 +362,12 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message) if (this->initiator) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D", + SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", this->ike_sa->get_name(this->ike_sa), - this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa)); + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa)); return SUCCESS; } return NEED_MORE; @@ -399,7 +399,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; default: this->eap_payload = NULL; - SIG(IKE_UP_FAILED, "failed to authenticate against %D using EAP", + SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP", this->ike_sa->get_other_id(this->ike_sa)); return FAILED; } @@ -562,7 +562,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) config = this->ike_sa->get_peer_cfg(this->ike_sa); if (config == NULL) { - SIG(IKE_UP_FAILED, "no matching config found for %D...%D", + SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'", this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); @@ -580,12 +580,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) if (this->peer_authenticated) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D", + SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", this->ike_sa->get_name(this->ike_sa), - this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa)); + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa)); return SUCCESS; } @@ -688,17 +688,17 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) auth = this->ike_sa->get_other_auth(this->ike_sa); if (!auth->complies(auth, config->get_auth(config))) { - SIG(IKE_UP_FAILED, "authorization of %D for config %s failed", + SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed", this->ike_sa->get_other_id(this->ike_sa), config->get_name(config)); return FAILED; } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D", + SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", this->ike_sa->get_name(this->ike_sa), - this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa)); + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa)); return SUCCESS; } diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c index a3cad0b400..3ec4ceca76 100644 --- a/src/charon/sa/tasks/ike_cert_post.c +++ b/src/charon/sa/tasks/ike_cert_post.c @@ -86,7 +86,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) { break; } - DBG1(DBG_IKE, "sending end entity cert %D", + DBG1(DBG_IKE, "sending end entity cert \"%D\"", cert->get_subject(cert)); message->add_payload(message, (payload_t*)payload); @@ -98,7 +98,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) payload = cert_payload_create_from_cert(cert); if (payload) { - DBG1(DBG_IKE, "sending issuer cert %D", + DBG1(DBG_IKE, "sending issuer cert \"%D\"", cert->get_subject(cert)); message->add_payload(message, (payload_t*)payload); } diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c index aa1cfb18ac..752f94c402 100644 --- a/src/charon/sa/tasks/ike_cert_pre.c +++ b/src/charon/sa/tasks/ike_cert_pre.c @@ -88,7 +88,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) CERT_X509, KEY_ANY, id, TRUE); if (cert) { - DBG1(DBG_IKE, "received cert request for %D", + DBG1(DBG_IKE, "received cert request for \"%D\"", cert->get_subject(cert)); auth->add_item(auth, AUTHN_CA_CERT, cert); cert->destroy(cert); @@ -133,14 +133,14 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) if (first) { /* the first certificate MUST be an end entity one */ - DBG1(DBG_IKE, "received end entity cert %D", + DBG1(DBG_IKE, "received end entity cert \"%D\"", cert->get_subject(cert)); auth->add_item(auth, AUTHN_SUBJECT_CERT, cert); first = FALSE; } else { - DBG1(DBG_IKE, "received issuer cert %D", + DBG1(DBG_IKE, "received issuer cert \"%D\"", cert->get_subject(cert)); auth->add_item(auth, AUTHN_IM_CERT, cert); } @@ -184,7 +184,7 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp, req = *reqp; keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1); req->add_keyid(req, keyid->get_encoding(keyid)); - DBG1(DBG_IKE, "sending cert request for %D", + DBG1(DBG_IKE, "sending cert request for \"%D\"", cert->get_subject(cert)); break; } diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 87971f2187..565ab82abf 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -502,19 +502,19 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, version = (object.len)? (1 + (u_int)*object.ptr) : 1; if (version != OCSP_BASIC_RESPONSE_VERSION) { - DBG1("OCSP ResponseData version %d not supported", version); + DBG1(" ocsp ResponseData version %d not supported", version); return FALSE; } break; case BASIC_RESPONSE_ID_BY_NAME: this->responderId = identification_create_from_encoding( ID_DER_ASN1_DN, object); - DBG3(" %D", this->responderId); + DBG2(" '%D'", this->responderId); break; case BASIC_RESPONSE_ID_BY_KEY: this->responderId = identification_create_from_encoding( ID_PUBKEY_INFO_SHA1, object); - DBG3(" %D", this->responderId); + DBG2(" '%D'", this->responderId); break; case BASIC_RESPONSE_PRODUCED_AT: this->producedAt = asn1totime(&object, ASN1_GENERALIZEDTIME); @@ -527,7 +527,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, break; case BASIC_RESPONSE_CRITICAL: critical = object.len && *object.ptr; - DBG3(" %s", critical ? "TRUE" : "FALSE"); + DBG2(" %s", critical ? "TRUE" : "FALSE"); break; case BASIC_RESPONSE_EXT_VALUE: if (extn_oid == OID_NONCE) @@ -591,7 +591,7 @@ static bool parse_OCSPResponse(private_x509_ocsp_response_t *this) case OCSP_SUCCESSFUL: break; default: - DBG1("OCSP response status: %N", + DBG1(" ocsp response status: %N", ocsp_status_names, status); return FALSE; } @@ -605,7 +605,7 @@ static bool parse_OCSPResponse(private_x509_ocsp_response_t *this) case OID_BASIC: return parse_basicOCSPResponse(this, object, level+1); default: - DBG1("OCSP response type %#B not supported", &object); + DBG1(" ocsp response type %#B not supported", &object); return FALSE; } break; diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 948472cc8c..4eead4a9f9 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -934,7 +934,7 @@ static int print(FILE *stream, const struct printf_info *info, snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr); /* TODO: whats returned on failure?*/ dntoa(this->encoded, &buf_chunk); - return fprintf(stream, "\"%s\"", buf); + return fprintf(stream, "%s", buf); } case ID_DER_ASN1_GN: return fprintf(stream, "(ASN.1 general Name");