"KNL",
"NET",
"ENC",
+ "TLS",
"LIB",
);
"knl",
"net",
"enc",
+ "tls",
"lib",
);
DBG_NET,
/** message encoding/decoding */
DBG_ENC,
+ /** libtls */
+ DBG_TLS,
/** libstrongswan */
DBG_LIB,
/** number of groups */
this->suite_count = count;
this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
- DBG2(DBG_CFG, "%d supported TLS cipher suites:", count);
+ DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
for (i = 0; i < count; i++)
{
- DBG2(DBG_CFG, " %N", tls_cipher_suite_names, suites[i].suite);
+ DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
this->suites[i] = suites[i].suite;
}
}
algs = find_suite(suite);
if (!algs)
{
- DBG1(DBG_IKE, "selected TLS suite not supported");
+ DBG1(DBG_TLS, "selected TLS suite not supported");
return FALSE;
}
}
if (!this->prf)
{
- DBG1(DBG_IKE, "selected TLS PRF not supported");
+ DBG1(DBG_TLS, "selected TLS PRF not supported");
return FALSE;
}
this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
if (!this->signer_in || !this->signer_out)
{
- DBG1(DBG_IKE, "selected TLS MAC %N not supported",
+ DBG1(DBG_TLS, "selected TLS MAC %N not supported",
integrity_algorithm_names, algs->mac);
return FALSE;
}
algs->encr, algs->encr_size);
if (!this->crypter_in || !this->crypter_out)
{
- DBG1(DBG_IKE, "selected TLS crypter %N not supported",
+ DBG1(DBG_TLS, "selected TLS crypter %N not supported",
encryption_algorithm_names, algs->encr);
return FALSE;
}
hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
if (!hasher)
{
- DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, alg->hash);
+ DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
return FALSE;
}
hasher->allocate_hash(hasher, this->handshake, hash);
md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
if (!md5)
{
- DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_MD5);
+ DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
return FALSE;
}
md5->get_hash(md5, this->handshake, buf);
sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!sha1)
{
- DBG1(DBG_IKE, "%N not supported", hash_algorithm_names, HASH_SHA1);
+ DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
return FALSE;
}
sha1->get_hash(sha1, this->handshake, buf + HASH_SIZE_MD5);
!reader->read_uint8(reader, &alg) ||
!reader->read_data16(reader, &sig))
{
- DBG1(DBG_IKE, "received invalid Certificate Verify");
+ DBG1(DBG_TLS, "received invalid Certificate Verify");
return FALSE;
}
/* TODO: map received hash/sig alg to signature scheme */
if (!reader->read_data16(reader, &sig))
{
- DBG1(DBG_IKE, "received invalid Certificate Verify");
+ DBG1(DBG_TLS, "received invalid Certificate Verify");
return FALSE;
}
if (!hash_handshake(this, &hash))
if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
{
- DBG1(DBG_IKE, "TLS fragment has invalid length");
+ DBG1(DBG_TLS, "TLS fragment has invalid length");
return FAILED;
}
this->type = type;
if (len > MAX_TLS_HANDSHAKE_LEN)
{
- DBG1(DBG_IKE, "TLS handshake message exceeds maximum length");
+ DBG1(DBG_TLS, "TLS handshake message exceeds maximum length");
return FAILED;
}
chunk_free(&this->input);
if (this->input.len == this->inpos)
{ /* message completely defragmented, process */
msg = tls_reader_create(this->input);
- DBG2(DBG_IKE, "received TLS %N message (%u bytes)",
+ DBG2(DBG_TLS, "received TLS %N message (%u bytes)",
tls_handshake_type_names, this->type, 4 + this->input.len);
status = this->handshake->process(this->handshake, this->type, msg);
msg->destroy(msg);
if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
{
- DBG1(DBG_IKE, "TLS fragment has invalid length");
+ DBG1(DBG_TLS, "TLS fragment has invalid length");
return FAILED;
}
status = this->application->process(this->application, reader);
status = process_application(this, reader);
break;
default:
- DBG1(DBG_IKE, "received unknown TLS content type %d, ignored", type);
+ DBG1(DBG_TLS, "received unknown TLS content type %d, ignored", type);
status = NEED_MORE;
break;
}
hs_data = writer->get_buf(writer);
msg->write_uint8(msg, hs_type);
msg->write_data24(msg, hs_data);
- DBG2(DBG_IKE, "sending TLS %N message (%u bytes)",
+ DBG2(DBG_TLS, "sending TLS %N message (%u bytes)",
tls_handshake_type_names, hs_type, 4 + hs_data.len);
break;
case INVALID_STATE:
!reader->read_uint8(reader, &compression) ||
(reader->remaining(reader) && !reader->read_data16(reader, &ext)))
{
- DBG1(DBG_IKE, "received invalid ServerHello");
+ DBG1(DBG_TLS, "received invalid ServerHello");
return FAILED;
}
suite = cipher;
if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1))
{
- DBG1(DBG_IKE, "received TLS cipher suite %N inacceptable",
+ DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
tls_cipher_suite_names, suite);
return FAILED;
}
- DBG1(DBG_IKE, "negotiated TLS version %N with suite %N",
+ DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
tls_version_names, version, tls_cipher_suite_names, suite);
this->state = STATE_HELLO_RECEIVED;
return NEED_MORE;
{
this->server_auth->add(this->server_auth,
AUTH_HELPER_SUBJECT_CERT, cert);
- DBG1(DBG_IKE, "received TLS server certificate '%Y'",
+ DBG1(DBG_TLS, "received TLS server certificate '%Y'",
cert->get_subject(cert));
first = FALSE;
}
else
{
- DBG1(DBG_IKE, "received TLS intermediate certificate '%Y'",
+ DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
cert->get_subject(cert));
this->server_auth->add(this->server_auth,
AUTH_HELPER_IM_CERT, cert);
}
else
{
- DBG1(DBG_IKE, "parsing TLS certificate failed, skipped");
+ DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
}
}
certs->destroy(certs);
CERT_X509, KEY_ANY, id, TRUE);
if (cert)
{
- DBG1(DBG_IKE, "received TLS cert request for '%Y", id);
+ DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
}
else
{
- DBG1(DBG_IKE, "received TLS cert request for unknown CA '%Y'", id);
+ DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
}
id->destroy(id);
}
if (!reader->read_data(reader, sizeof(buf), &received))
{
- DBG1(DBG_IKE, "received server finished too short");
+ DBG1(DBG_TLS, "received server finished too short");
return FAILED;
}
if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
{
- DBG1(DBG_IKE, "calculating server finished failed");
+ DBG1(DBG_TLS, "calculating server finished failed");
return FAILED;
}
if (!chunk_equals(received, chunk_from_thing(buf)))
{
- DBG1(DBG_IKE, "received server finished invalid");
+ DBG1(DBG_TLS, "received server finished invalid");
return FAILED;
}
this->state = STATE_COMPLETE;
expected = TLS_FINISHED;
break;
default:
- DBG1(DBG_IKE, "TLS %N not expected in current state",
+ DBG1(DBG_TLS, "TLS %N not expected in current state",
tls_handshake_type_names, type);
return FAILED;
}
- DBG1(DBG_IKE, "TLS %N expected, but received %N",
+ DBG1(DBG_TLS, "TLS %N expected, but received %N",
tls_handshake_type_names, expected, tls_handshake_type_names, type);
return FAILED;
}
/* add TLS cipher suites */
count = this->crypto->get_cipher_suites(this->crypto, &suites);
- DBG2(DBG_IKE, "sending %d TLS cipher suites:", count);
+ DBG2(DBG_TLS, "sending %d TLS cipher suites:", count);
writer->write_uint16(writer, count * 2);
for (i = 0; i < count; i++)
{
- DBG2(DBG_IKE, " %N", tls_cipher_suite_names, suites[i]);
+ DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
writer->write_uint16(writer, suites[i]);
}
KEY_ANY, this->peer, this->peer_auth);
if (!this->private)
{
- DBG1(DBG_IKE, "no TLS peer certificate found for '%Y'", this->peer);
+ DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer);
return FAILED;
}
{
if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
{
- DBG1(DBG_IKE, "sending TLS peer certificate '%Y'",
+ DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
cert->get_subject(cert));
certs->write_data24(certs, data);
free(data.ptr);
{
if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
{
- DBG1(DBG_IKE, "sending TLS intermediate certificate '%Y'",
+ DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
cert->get_subject(cert));
certs->write_data24(certs, data);
free(data.ptr);
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
if (!rng)
{
- DBG1(DBG_IKE, "no suitable RNG found for TLS premaster secret");
+ DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
return FAILED;
}
rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
}
if (!public)
{
- DBG1(DBG_IKE, "no TLS public key found for server '%Y'", this->server);
+ DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
return FAILED;
}
if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
chunk_from_thing(premaster), &encrypted))
{
public->destroy(public);
- DBG1(DBG_IKE, "encrypting TLS premaster secret failed");
+ DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
return FAILED;
}
if (!this->private ||
!this->crypto->sign_handshake(this->crypto, this->private, writer))
{
- DBG1(DBG_IKE, "creating TLS Certificate Verify signature failed");
+ DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
return FAILED;
}
if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
{
- DBG1(DBG_IKE, "calculating client finished data failed");
+ DBG1(DBG_TLS, "calculating client finished data failed");
return FAILED;
}
{ /* < TLSv1.1 uses IV from key derivation/last block */
if (data.len < bs || data.len % bs)
{
- DBG1(DBG_IKE, "encrypted TLS record length invalid");
+ DBG1(DBG_TLS, "encrypted TLS record length invalid");
return FAILED;
}
iv = this->iv_in;
data = chunk_skip(data, iv.len);
if (data.len < bs || data.len % bs)
{
- DBG1(DBG_IKE, "encrypted TLS record length invalid");
+ DBG1(DBG_TLS, "encrypted TLS record length invalid");
return FAILED;
}
}
padding_length = data.ptr[data.len - 1];
if (padding_length >= data.len)
{
- DBG1(DBG_IKE, "invalid TLS record padding");
+ DBG1(DBG_TLS, "invalid TLS record padding");
return FAILED;
}
data.len -= padding_length + 1;
bs = this->signer_in->get_block_size(this->signer_in);
if (data.len <= bs)
{
- DBG1(DBG_IKE, "TLS record too short to verify MAC");
+ DBG1(DBG_TLS, "TLS record too short to verify MAC");
return FAILED;
}
mac = chunk_skip(data, data.len - bs);
macdata = chunk_cat("mc", header, data);
if (!this->signer_in->verify_signature(this->signer_in, macdata, mac))
{
- DBG1(DBG_IKE, "TLS record MAC verification failed");
+ DBG1(DBG_TLS, "TLS record MAC verification failed");
free(macdata.ptr);
return FAILED;
}
{ /* TLSv1.1 uses random IVs, prepended to record */
if (!this->rng)
{
- DBG1(DBG_IKE, "no RNG supported to generate TLS IV");
+ DBG1(DBG_TLS, "no RNG supported to generate TLS IV");
free(data->ptr);
return FAILED;
}
{
if (this->buf.len < 1)
{
- DBG1(DBG_IKE, "%d bytes insufficient to parse uint%d TLS data",
+ DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
this->buf.len, 8);
return FALSE;
}
{
if (this->buf.len < 2)
{
- DBG1(DBG_IKE, "%d bytes insufficient to parse uint%d TLS data",
+ DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
this->buf.len, 16);
return FALSE;
}
{
if (this->buf.len < 3)
{
- DBG1(DBG_IKE, "%d bytes insufficient to parse uint%d TLS data",
+ DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
this->buf.len, 24);
return FALSE;
}
{
if (this->buf.len < 4)
{
- DBG1(DBG_IKE, "%d bytes insufficient to parse uint%d TLS data",
+ DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
this->buf.len, 32);
return FALSE;
}
{
if (this->buf.len < len)
{
- DBG1(DBG_IKE, "%d bytes insufficient to parse %d bytes TLS data",
+ DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data",
this->buf.len, len);
return FALSE;
}
!reader->read_data8(reader, &compression) ||
(reader->remaining(reader) && !reader->read_data16(reader, &ext)))
{
- DBG1(DBG_IKE, "received invalid ClientHello");
+ DBG1(DBG_TLS, "received invalid ClientHello");
return FAILED;
}
count = ciphers.len / sizeof(u_int16_t);
suites = alloca(count * sizeof(tls_cipher_suite_t));
- DBG2(DBG_IKE, "received %d TLS cipher suites:", count);
+ DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
for (i = 0; i < count; i++)
{
suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
- DBG2(DBG_IKE, " %N", tls_cipher_suite_names, suites[i]);
+ DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i]);
}
this->suite = this->crypto->select_cipher_suite(this->crypto, suites, count);
if (!this->suite)
{
- DBG1(DBG_IKE, "received cipher suites inacceptable");
+ DBG1(DBG_TLS, "received cipher suites inacceptable");
return FAILED;
}
- DBG1(DBG_IKE, "negotiated TLS version %N with suite %N",
+ DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
tls_version_names, version, tls_cipher_suite_names, this->suite);
this->state = STATE_HELLO_RECEIVED;
return NEED_MORE;
{
this->peer_auth->add(this->peer_auth,
AUTH_HELPER_SUBJECT_CERT, cert);
- DBG1(DBG_IKE, "received TLS peer certificate '%Y'",
+ DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
cert->get_subject(cert));
first = FALSE;
}
else
{
- DBG1(DBG_IKE, "received TLS intermediate certificate '%Y'",
+ DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
cert->get_subject(cert));
this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
}
}
else
{
- DBG1(DBG_IKE, "parsing TLS certificate failed, skipped");
+ DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
}
}
certs->destroy(certs);
if (!reader->read_data16(reader, &encrypted))
{
- DBG1(DBG_IKE, "received invalid Client Key Exchange");
+ DBG1(DBG_TLS, "received invalid Client Key Exchange");
return FAILED;
}
!this->private->decrypt(this->private, ENCRYPT_RSA_PKCS1,
encrypted, &premaster))
{
- DBG1(DBG_IKE, "decrypting Client Key Exchange data failed");
+ DBG1(DBG_TLS, "decrypting Client Key Exchange data failed");
return FAILED;
}
this->crypto->derive_secrets(this->crypto, premaster,
{
break;
}
- DBG1(DBG_IKE, "signature verification failed, trying another key");
+ DBG1(DBG_TLS, "signature verification failed, trying another key");
}
enumerator->destroy(enumerator);
if (!verified)
{
- DBG1(DBG_IKE, "no trusted certificate found for '%Y' to verify TLS peer",
+ DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
this->peer);
return FAILED;
}
if (!reader->read_data(reader, sizeof(buf), &received))
{
- DBG1(DBG_IKE, "received client finished too short");
+ DBG1(DBG_TLS, "received client finished too short");
return FAILED;
}
if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
{
- DBG1(DBG_IKE, "calculating client finished failed");
+ DBG1(DBG_TLS, "calculating client finished failed");
return FAILED;
}
if (!chunk_equals(received, chunk_from_thing(buf)))
{
- DBG1(DBG_IKE, "received client finished invalid");
+ DBG1(DBG_TLS, "received client finished invalid");
return FAILED;
}
expected = TLS_FINISHED;
break;
default:
- DBG1(DBG_IKE, "TLS %N not expected in current state",
+ DBG1(DBG_TLS, "TLS %N not expected in current state",
tls_handshake_type_names, type);
return FAILED;
}
- DBG1(DBG_IKE, "TLS %N expected, but received %N",
+ DBG1(DBG_TLS, "TLS %N expected, but received %N",
tls_handshake_type_names, expected, tls_handshake_type_names, type);
return FAILED;
}
writer->write_data8(writer, chunk_empty);
/* add selected TLS cipher suite */
- DBG2(DBG_IKE, "sending TLS cipher suite: %N",
+ DBG2(DBG_TLS, "sending TLS cipher suite: %N",
tls_cipher_suite_names, this->suite);
writer->write_uint16(writer, this->suite);
KEY_ANY, this->server, this->server_auth);
if (!this->private)
{
- DBG1(DBG_IKE, "no TLS server certificate found for '%Y'", this->server);
+ DBG1(DBG_TLS, "no TLS server certificate found for '%Y'", this->server);
return FAILED;
}
{
if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
{
- DBG1(DBG_IKE, "sending TLS server certificate '%Y'",
+ DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
cert->get_subject(cert));
certs->write_data24(certs, data);
free(data.ptr);
{
if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
{
- DBG1(DBG_IKE, "sending TLS intermediate certificate '%Y'",
+ DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
cert->get_subject(cert));
certs->write_data24(certs, data);
free(data.ptr);
if (x509->get_flags(x509) & X509_CA)
{
id = cert->get_subject(cert);
- DBG1(DBG_IKE, "sending TLS cert request for '%Y'", id);
+ DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
authorities->write_data16(authorities, id->get_encoding(id));
}
}
if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
{
- DBG1(DBG_IKE, "calculating server finished data failed");
+ DBG1(DBG_TLS, "calculating server finished data failed");
return FAILED;
}
projects / thirdparty / strongswan.git / commitdiff
