From: Nikos Mavrogiannopoulos Date: Sun, 29 Jan 2012 14:52:19 +0000 (+0100) Subject: cleanup a bit the printing information stuff. X-Git-Tag: gnutls_3_0_13~161 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ad12e726d44877303e61a8bd3989aef6cbda2cb4;p=thirdparty%2Fgnutls.git cleanup a bit the printing information stuff. --- diff --git a/src/cli.c b/src/cli.c index 5cb1cd5e00..bfe9851665 100644 --- a/src/cli.c +++ b/src/cli.c @@ -69,7 +69,7 @@ int record_max_size; int fingerprint; int crlf; unsigned int verbose = 0; -extern int print_cert; +int print_cert; #define DEFAULT_CA_FILE "/etc/ssl/certs/ca-certificates.crt" @@ -492,7 +492,7 @@ cert_verify_callback (gnutls_session_t session) cert, 0); if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) { - print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT); + print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT, 0); fprintf(stderr, "Host %s has never been contacted before and is not in the trusted list.\n", hostname); if (status == 0) fprintf(stderr, "Its certificate is valid for %s.\n", hostname); @@ -503,7 +503,7 @@ cert_verify_callback (gnutls_session_t session) } else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { - print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT); + print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT, 0); fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", hostname); fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n"); if (status == 0) @@ -1092,6 +1092,10 @@ const char* rest = NULL; priorities = OPT_ARG(PRIORITY); } verbose = HAVE_OPT( VERBOSE); + if (verbose) + print_cert = 1; + else + print_cert = HAVE_OPT( PRINT_CERT); if (HAVE_OPT(LIST)) { @@ -1100,7 +1104,6 @@ const char* rest = NULL; } disable_extensions = HAVE_OPT( DISABLE_EXTENSIONS); - print_cert = HAVE_OPT( PRINT_CERT); starttls = HAVE_OPT(STARTTLS); resume = HAVE_OPT(RESUME); rehandshake = HAVE_OPT(REHANDSHAKE); @@ -1243,7 +1246,7 @@ do_handshake (socket_st * socket) if (ret == 0) { /* print some information */ - print_info (socket->session); + print_info (socket->session, print_cert); socket->secure = 1; } else @@ -1455,7 +1458,9 @@ init_global_tls_stuff (void) } -/* Returns: +/* OCSP check for the peer's certificate. Should be called + * only after the certificate list verication is complete. + * Returns: * 0: certificate is revoked * 1: certificate is ok * -1: dunno @@ -1517,7 +1522,7 @@ cert_verify_ocsp (gnutls_session_t session) } /* verify and check the response for revoked cert */ - ret = check_ocsp_response(xcred, &resp); + ret = check_ocsp_response(issuer, &resp); cleanup: if (deinit_issuer) diff --git a/src/common.c b/src/common.c index e5ce3c8957..c98ad04bf2 100644 --- a/src/common.c +++ b/src/common.c @@ -39,7 +39,6 @@ #define SU(x) (x!=NULL?x:"Unknown") -int print_cert; extern int verbose; const char str_unknown[] = "(unknown)"; @@ -106,14 +105,14 @@ print_x509_info_compact (gnutls_session_t session, int flag) } static void -print_x509_info (gnutls_session_t session, int flag) +print_x509_info (gnutls_session_t session, int flag, int print_cert) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0, j; int ret; - if (flag == GNUTLS_CRT_PRINT_COMPACT) + if (flag == GNUTLS_CRT_PRINT_COMPACT && print_cert == 0) return print_x509_info_compact(session, flag); cert_list = gnutls_certificate_get_peers (session, &cert_list_size); @@ -330,7 +329,7 @@ print_openpgp_info_compact (gnutls_session_t session, int flag) } static void -print_openpgp_info (gnutls_session_t session, int flag) +print_openpgp_info (gnutls_session_t session, int flag, int print_cert) { gnutls_openpgp_crt_t crt; @@ -338,7 +337,7 @@ print_openpgp_info (gnutls_session_t session, int flag) unsigned int cert_list_size = 0; int ret; - if (flag == GNUTLS_CRT_PRINT_COMPACT) + if (flag == GNUTLS_CRT_PRINT_COMPACT && print_cert == 0) print_openpgp_info_compact(session, flag); printf (" - Certificate type: OpenPGP\n"); @@ -484,7 +483,7 @@ cert_verify (gnutls_session_t session, const char* hostname) } static void -print_dh_info (gnutls_session_t session, const char *str) +print_dh_info (gnutls_session_t session, const char *str, int print) { printf ("- %sDiffie-Hellman parameters\n", str); printf (" - Using prime: %d bits\n", @@ -494,7 +493,7 @@ print_dh_info (gnutls_session_t session, const char *str) printf (" - Peer's public key: %d bits\n", gnutls_dh_get_peers_public_bits (session)); - if (print_cert) + if (print) { int ret; gnutls_datum_t raw_gen = { NULL, 0 }; @@ -582,7 +581,7 @@ print_ecdh_info (gnutls_session_t session, const char *str) } int -print_info (gnutls_session_t session) +print_info (gnutls_session_t session, int print_cert) { const char *tmp; gnutls_credentials_type_t cred; @@ -607,7 +606,7 @@ print_info (gnutls_session_t session) if (kx == GNUTLS_KX_ANON_ECDH) print_ecdh_info (session, "Anonymous "); else - print_dh_info (session, "Anonymous "); + print_dh_info (session, "Anonymous ", verbose); break; #endif #ifdef ENABLE_SRP @@ -633,7 +632,7 @@ print_info (gnutls_session_t session) printf ("- PSK authentication. Connected as '%s'\n", gnutls_psk_server_get_username (session)); if (kx == GNUTLS_KX_DHE_PSK) - print_dh_info (session, "Ephemeral "); + print_dh_info (session, "Ephemeral ", verbose); if (kx == GNUTLS_KX_ECDHE_PSK) print_ecdh_info (session, "Ephemeral "); break; @@ -655,10 +654,12 @@ print_info (gnutls_session_t session) } } - print_cert_info (session, verbose?GNUTLS_CRT_PRINT_FULL:GNUTLS_CRT_PRINT_COMPACT); + print_cert_info (session, + verbose?GNUTLS_CRT_PRINT_FULL:GNUTLS_CRT_PRINT_COMPACT, + print_cert); if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) - print_dh_info (session, "Ephemeral "); + print_dh_info (session, "Ephemeral ", verbose); else if (kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA) print_ecdh_info (session, "Ephemeral "); @@ -714,7 +715,7 @@ print_info (gnutls_session_t session) } void -print_cert_info (gnutls_session_t session, int flag) +print_cert_info (gnutls_session_t session, int flag, int print_cert) { if (gnutls_certificate_client_get_request_status (session) != 0) @@ -723,11 +724,11 @@ print_cert_info (gnutls_session_t session, int flag) switch (gnutls_certificate_type_get (session)) { case GNUTLS_CRT_X509: - print_x509_info (session, flag); + print_x509_info (session, flag, print_cert); break; #ifdef ENABLE_OPENPGP case GNUTLS_CRT_OPENPGP: - print_openpgp_info (session, flag); + print_openpgp_info (session, flag, print_cert); break; #endif default: diff --git a/src/common.h b/src/common.h index c2e2dadd95..1e6ca3735e 100644 --- a/src/common.h +++ b/src/common.h @@ -49,8 +49,8 @@ extern const char str_unknown[]; -int print_info (gnutls_session_t state); -void print_cert_info (gnutls_session_t, int flag); +int print_info (gnutls_session_t state, int print_cert); +void print_cert_info (gnutls_session_t, int flag, int print_cert); void print_list (const char* priorities, int verbose); int cert_verify (gnutls_session_t session, const char* hostname); diff --git a/src/ocsptool-common.c b/src/ocsptool-common.c index b52c35316b..d74e5534d3 100644 --- a/src/ocsptool-common.c +++ b/src/ocsptool-common.c @@ -307,13 +307,13 @@ print_ocsp_verify_res (unsigned int output) * -1: dunno */ int -check_ocsp_response (gnutls_certificate_credentials xcred, - gnutls_datum_t *data) +check_ocsp_response (gnutls_x509_crt_t issuer, + gnutls_datum_t *data) { gnutls_ocsp_resp_t resp; int ret; unsigned int status, cert_status; - time_t rtime; + time_t rtime, ttime; ret = gnutls_ocsp_resp_init (&resp); if (ret < 0) @@ -323,15 +323,18 @@ check_ocsp_response (gnutls_certificate_credentials xcred, if (ret < 0) error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret)); - ret = gnutls_ocsp_resp_verify_cred (resp, xcred, &status, 0); + ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0); if (ret < 0) - error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s", - gnutls_strerror (ret)); + error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify_direct: %s", + gnutls_strerror (ret)); + + if (status != 0) + { + printf ("*** Verifying OCSP Response: "); + print_ocsp_verify_res (status); + printf (".\n"); + } - printf ("Verifying OCSP Response: "); - print_ocsp_verify_res (status); - printf (".\n"); - /* do not print revocation data if response was not verified */ if (status != 0) { @@ -340,17 +343,18 @@ check_ocsp_response (gnutls_certificate_credentials xcred, } ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, - &cert_status, NULL, NULL, &rtime, NULL); + &cert_status, &ttime, NULL, &rtime, NULL); if (ret < 0) error (EXIT_FAILURE, 0, "reading response: %s", gnutls_strerror (ret)); if (cert_status == GNUTLS_OCSP_CERT_REVOKED) { - printf("Certificate was revoked at %s\n", ctime(&rtime)); + printf("*** Certificate was revoked at %s", ctime(&rtime)); ret = 0; goto cleanup; } + printf("- OCSP server flags certificate not revoked as of %s", ctime(&ttime)); ret = 1; cleanup: gnutls_ocsp_resp_deinit (resp); diff --git a/src/ocsptool-common.h b/src/ocsptool-common.h index ec17cfd399..455b5640f5 100644 --- a/src/ocsptool-common.h +++ b/src/ocsptool-common.h @@ -43,7 +43,6 @@ void print_ocsp_verify_res (unsigned int output); int -check_ocsp_response (gnutls_certificate_credentials xcred, - gnutls_datum_t *data); +check_ocsp_response (gnutls_x509_crt_t issuer, gnutls_datum_t *data); #endif diff --git a/src/ocsptool.c b/src/ocsptool.c index 93c9c14d9e..295fcd5aa5 100644 --- a/src/ocsptool.c +++ b/src/ocsptool.c @@ -226,7 +226,7 @@ _verify_response (gnutls_datum_t *data) if (ret < 0) error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret)); - if (!HAVE_OPT(LOAD_SIGNER) && HAVE_OPT(LOAD_TRUST)) + if (HAVE_OPT(LOAD_TRUST)) { dat.data = (void*)read_binary_file (OPT_ARG(LOAD_TRUST), &size); if (dat.data == NULL) @@ -244,10 +244,10 @@ _verify_response (gnutls_datum_t *data) error (EXIT_FAILURE, 0, "error parsing CAs: %s", gnutls_strerror (ret)); -#if 0 if (HAVE_OPT(VERBOSE)) { unsigned int i; + printf ("Trust anchors:\n"); for (i = 0; i < x509_ncas; i++) { gnutls_datum_t out; @@ -258,11 +258,11 @@ _verify_response (gnutls_datum_t *data) error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s", gnutls_strerror (ret)); - printf ("Trust anchor %d: %.*s\n", i, out.size, out.data); + printf ("%d: %.*s\n", i, out.size, out.data); gnutls_free (out.data); } + printf("\n"); } -#endif ret = gnutls_x509_trust_list_add_cas (list, x509_ca_list, x509_ncas, 0); if (ret < 0) @@ -272,12 +272,18 @@ _verify_response (gnutls_datum_t *data) if (HAVE_OPT(VERBOSE)) fprintf (stdout, "Loaded %d trust anchors\n", x509_ncas); +{ +FILE* f=fopen("resp.der", "w"); +fwrite(data->data, 1, data->size, f); +fclose(f); +} + ret = gnutls_ocsp_resp_verify (resp, list, &verify, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s", gnutls_strerror (ret)); } - else if (!HAVE_OPT(LOAD_TRUST) && HAVE_OPT(LOAD_SIGNER)) + else if (HAVE_OPT(LOAD_SIGNER)) { ret = gnutls_x509_crt_init (&signer); if (ret < 0) @@ -305,6 +311,7 @@ _verify_response (gnutls_datum_t *data) printf ("Signer: %.*s\n", out.size, out.data); gnutls_free (out.data); + printf("\n"); } ret = gnutls_ocsp_resp_verify_direct (resp, signer, &verify, 0); diff --git a/src/serv.c b/src/serv.c index 88d0be75e2..d2277cb41e 100644 --- a/src/serv.c +++ b/src/serv.c @@ -1309,7 +1309,7 @@ static void tcp_server(const char* name, int port) human_addr ((struct sockaddr *) &client_address, calen, topbuf, sizeof (topbuf))); - print_info (j->tls_session); + print_info (j->tls_session, verbose); cert_verify(j->tls_session, NULL); } j->handshake_ok = 1; @@ -1433,7 +1433,7 @@ static void tcp_server(const char* name, int port) &client_address, calen, topbuf, sizeof (topbuf))); - print_info (j->tls_session); + print_info (j->tls_session, verbose); cert_verify(j->tls_session, NULL); } j->handshake_ok = 1; diff --git a/src/tests.c b/src/tests.c index cbed4680fa..0a327fe75b 100644 --- a/src/tests.c +++ b/src/tests.c @@ -1056,7 +1056,7 @@ test_certificate (gnutls_session_t session) return ret; printf ("\n"); - print_cert_info (session, GNUTLS_CRT_PRINT_FULL); + print_cert_info (session, GNUTLS_CRT_PRINT_FULL, verbose); return TEST_SUCCEED; }