attempt to achieve consistent debugging output
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 19 Mar 2008 12:06:38 +0000 (12:06 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 19 Mar 2008 12:06:38 +0000 (12:06 -0000)
src/charon/credentials/credential_manager.c
src/charon/sa/authenticators/rsa_authenticator.c
src/charon/sa/tasks/ike_auth.c
src/charon/sa/tasks/ike_cert_post.c
src/charon/sa/tasks/ike_cert_pre.c
src/libstrongswan/plugins/x509/x509_ocsp_response.c
src/libstrongswan/utils/identification.c

index 6642c19..a3235bd 100644 (file)
@@ -410,11 +410,8 @@ static ocsp_wrapper_t *ocsp_wrapper_create(ocsp_response_t *response)
 static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
                                                                 certificate_t *subject, certificate_t *issuer)
 {
-       certificate_t *request, *response, *issuer_cert;
+       certificate_t *request, *response;
        chunk_t send, receive;
-       identification_t *responder;
-       auth_info_t *auth;
-       ocsp_wrapper_t *wrapper;
        
        /* TODO: requestor name, signature */
        request = lib->creds->create(lib->creds,
@@ -429,6 +426,8 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
        
        send = request->get_encoding(request);
        request->destroy(request);
+
+       DBG1(DBG_CFG, "requesting ocsp response from '%s' ...", url);
        if (lib->fetcher->fetch(lib->fetcher, url, &receive, 
                                                        FETCH_REQUEST_DATA, send,
                                                        FETCH_REQUEST_TYPE, "application/ocsp-request",
@@ -449,29 +448,40 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
                return NULL;
        }
        
-       responder = response->get_issuer(response);
-       auth = auth_info_create();
-       wrapper = ocsp_wrapper_create((ocsp_response_t*)response);
-       this->sets->insert_first(this->sets, wrapper);
-       issuer_cert = get_trusted_cert(this, KEY_ANY, responder, auth, FALSE, FALSE);
-       this->sets->remove(this->sets, wrapper, NULL);
-       free(wrapper);
-       auth->destroy(auth);
-       if (!issuer_cert)
-       {
-               DBG1(DBG_CFG, "  ocsp response untrusted: no signer certificate found");
-               response->destroy(response);
-               return NULL;
-       }
-       if (!response->issued_by(response, issuer_cert, TRUE))
+
+       /* verify the signature of the ocsp response */
        {
-               DBG1(DBG_CFG, "  ocsp response untrusted: bad signature");
-               response->destroy(response);
+               certificate_t *issuer_cert;
+               identification_t *responder;
+               auth_info_t *auth;
+               ocsp_wrapper_t *wrapper;
+               bool ok;
+               auth = auth_info_create();
+               wrapper = ocsp_wrapper_create((ocsp_response_t*)response);
+               this->sets->insert_first(this->sets, wrapper);
+               responder = response->get_issuer(response);
+               issuer_cert = get_trusted_cert(this, KEY_ANY, responder, auth, FALSE, FALSE);
+               this->sets->remove(this->sets, wrapper, NULL);
+               free(wrapper);
+               auth->destroy(auth);
+
+               if (!issuer_cert)
+               {
+                       DBG1(DBG_CFG, "  ocsp response untrusted: no signer certificate found");
+                       response->destroy(response);
+                       return NULL;
+               }
+               ok = response->issued_by(response, issuer_cert, TRUE);
                issuer_cert->destroy(issuer_cert);
-               return NULL;
+               DBG1(DBG_CFG, "  ocsp response is %strusted: %s signature",
+                                                ok ? "":"un", ok ? "good" : "bad");
+               if (ok)
+               {
+                       response->destroy(response);
+                       return NULL;
+               }
        }
-       issuer_cert->destroy(issuer_cert);
-       
        /* TODO: cache response? */
        return response;
 }
@@ -863,7 +873,7 @@ static bool check_certificate(private_credential_manager_t *this,
        }
        if (issuer && !subject->issued_by(subject, issuer, TRUE))
        {
-               DBG1(DBG_CFG, "certificate %D not issued by %D",
+               DBG1(DBG_CFG, "certificate not issued by \"%D\"",
                         subject->get_subject(subject), issuer->get_subject(issuer));
                return FALSE;
        }
@@ -1055,8 +1065,8 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this,
                        public = subject->get_public_key(subject);
                        if (public)
                        {
-                               DBG2(DBG_CFG, "using trusted certificate %D",
-                                        subject->get_subject(subject));
+                               DBG1(DBG_CFG, "  using trusted certificate \"%D\"",
+                                                            subject->get_subject(subject));
                                this->sets->remove(this->sets, wrapper, NULL);
                                free(wrapper);
                                this->mutex->unlock(this->mutex);
@@ -1076,7 +1086,7 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this,
        subject = get_cert(this, CERT_ANY, type, id, FALSE);
        if (!subject)
        {
-               DBG1(DBG_CFG, "no end entity certificate found for %D", id);
+               DBG1(DBG_CFG, "no end entity certificate found for \"%D\"", id);
        }
        else
        {
@@ -1093,7 +1103,7 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this,
                                                                          issuer == subject ? auth2 : NULL) &&
                                        check_certificate(this, candidate, NULL, crl, ocsp, NULL))
                                {
-                                       DBG2(DBG_CFG, "using trusted root CA certificate %D",
+                                       DBG1(DBG_CFG, "  using trusted root ca certificate \"%D\"",
                                                 candidate->get_subject(candidate));
                                        issuer = candidate;
                                        trusted = TRUE;
@@ -1120,13 +1130,13 @@ static certificate_t *get_trusted_cert(private_credential_manager_t *this,
                                {
                                        if (issuer != subject)
                                        {
-                                               DBG2(DBG_CFG, "using intermediate CA certificate %D",
+                                               DBG1(DBG_CFG, "  using intermediate ca certificate \"%D\"",
                                                         candidate->get_subject(candidate));
                                                auth1->add_item(auth1, AUTHZ_IM_CERT, candidate);
                                        }
                                        else
                                        {
-                                               DBG2(DBG_CFG, "using end entity certificate %D",
+                                               DBG1(DBG_CFG, "  using end entity certificate \"%D\"",
                                                         candidate->get_subject(candidate));
                                        }
                                        issuer = candidate;
index becef18..9f34d51 100644 (file)
@@ -81,7 +81,7 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
                 * TODO: allow other hash algorithms and note it in "auth" */
                if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, octets, auth_data))
                {
-                       DBG1(DBG_IKE, "authentication of %D with %N successful",
+                       DBG1(DBG_IKE, "authentication of '%D' with %N successful",
                                                   other_id, auth_method_names, AUTH_RSA);
                        status = SUCCESS;
                }
@@ -89,7 +89,7 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
        }
        else
        {
-               DBG1(DBG_IKE, "no trusted public key found for %D", other_id);
+               DBG1(DBG_IKE, "no trusted public key found for '%D'", other_id);
        }
        chunk_free(&octets);
        return status;
@@ -109,7 +109,7 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
        auth_info_t *auth;
 
        my_id = this->ike_sa->get_my_id(this->ike_sa);
-       DBG1(DBG_IKE, "authentication of %D (myself) with %N",
+       DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
                 my_id, auth_method_names, AUTH_RSA);
        
        auth = this->ike_sa->get_my_auth(this->ike_sa);
@@ -117,7 +117,7 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
                                                                                           my_id, auth);
        if (private == NULL)
        {
-               DBG1(DBG_IKE, "no RSA private key found for %D", my_id);
+               DBG1(DBG_IKE, "no RSA private key found for '%D'", my_id);
                return NOT_FOUND;
        }
        prf = this->ike_sa->get_prf(this->ike_sa);
index 1138204..b96371b 100644 (file)
@@ -187,7 +187,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
 
        if (auth == NULL)
        {
-               SIG(IKE_UP_FAILED, "authentication method %N used by %D not "
+               SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not "
                        "supported", auth_method_names, auth_method,
                        this->ike_sa->get_other_id(this->ike_sa));
                return NOT_SUPPORTED;
@@ -228,7 +228,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
                req = this->ike_sa->get_other_id(this->ike_sa);
                if (!id->matches(id, req))
                {
-                       SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req);
+                       SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
                        id->destroy(id);
                        return FAILED;
                }
@@ -316,12 +316,12 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
        if (!this->initiator)
        {
                this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-               SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+               SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
                        this->ike_sa->get_name(this->ike_sa),
-                       this->ike_sa->get_my_id(this->ike_sa), 
                        this->ike_sa->get_my_host(this->ike_sa),
-                       this->ike_sa->get_other_host(this->ike_sa),
-                       this->ike_sa->get_other_id(this->ike_sa));
+                       this->ike_sa->get_my_id(this->ike_sa), 
+                       this->ike_sa->get_other_id(this->ike_sa),
+                       this->ike_sa->get_other_host(this->ike_sa));
                return SUCCESS;
        }
        return NEED_MORE;
@@ -362,12 +362,12 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
        if (this->initiator)
        {
                this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-               SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+               SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
                        this->ike_sa->get_name(this->ike_sa),
-                       this->ike_sa->get_my_id(this->ike_sa), 
                        this->ike_sa->get_my_host(this->ike_sa),
-                       this->ike_sa->get_other_host(this->ike_sa),
-                       this->ike_sa->get_other_id(this->ike_sa));
+                       this->ike_sa->get_my_id(this->ike_sa), 
+                       this->ike_sa->get_other_id(this->ike_sa),
+                       this->ike_sa->get_other_host(this->ike_sa));
                return SUCCESS;
        }
        return NEED_MORE;
@@ -399,7 +399,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
                        return NEED_MORE;
                default:
                        this->eap_payload = NULL;
-                       SIG(IKE_UP_FAILED, "failed to authenticate against %D using EAP",
+                       SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP",
                                this->ike_sa->get_other_id(this->ike_sa));
                        return FAILED;
        }
@@ -562,7 +562,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
        config = this->ike_sa->get_peer_cfg(this->ike_sa);
        if (config == NULL)
        {
-               SIG(IKE_UP_FAILED, "no matching config found for %D...%D",
+               SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'",
                        this->ike_sa->get_my_id(this->ike_sa),
                        this->ike_sa->get_other_id(this->ike_sa));
                message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -580,12 +580,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
        if (this->peer_authenticated)
        {
                this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-               SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+               SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
                        this->ike_sa->get_name(this->ike_sa),
-                       this->ike_sa->get_my_id(this->ike_sa), 
                        this->ike_sa->get_my_host(this->ike_sa),
-                       this->ike_sa->get_other_host(this->ike_sa),
-                       this->ike_sa->get_other_id(this->ike_sa));
+                       this->ike_sa->get_my_id(this->ike_sa), 
+                       this->ike_sa->get_other_id(this->ike_sa),
+                       this->ike_sa->get_other_host(this->ike_sa));
                return SUCCESS;
        }
        
@@ -688,17 +688,17 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
        auth = this->ike_sa->get_other_auth(this->ike_sa);
        if (!auth->complies(auth, config->get_auth(config)))
        {
-               SIG(IKE_UP_FAILED, "authorization of %D for config %s failed",
+               SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed",
                        this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
                return FAILED;
        }
        this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-       SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D",
+       SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
                this->ike_sa->get_name(this->ike_sa),
-               this->ike_sa->get_my_id(this->ike_sa),
                this->ike_sa->get_my_host(this->ike_sa),
-               this->ike_sa->get_other_host(this->ike_sa),
-               this->ike_sa->get_other_id(this->ike_sa));
+               this->ike_sa->get_my_id(this->ike_sa),
+               this->ike_sa->get_other_id(this->ike_sa),
+               this->ike_sa->get_other_host(this->ike_sa));
        return SUCCESS;
 }
 
index a3cad0b..3ec4cec 100644 (file)
@@ -86,7 +86,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
                                {
                                        break;
                                }
-                               DBG1(DBG_IKE, "sending end entity cert %D",
+                               DBG1(DBG_IKE, "sending end entity cert \"%D\"",
                                         cert->get_subject(cert));
                                message->add_payload(message, (payload_t*)payload);
                                
@@ -98,7 +98,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
                                                payload = cert_payload_create_from_cert(cert);
                                                if (payload)
                                                {
-                                                       DBG1(DBG_IKE, "sending issuer cert %D",
+                                                       DBG1(DBG_IKE, "sending issuer cert \"%D\"",
                                                                 cert->get_subject(cert));
                                                        message->add_payload(message, (payload_t*)payload);
                                                }
index aa1cfb1..752f94c 100644 (file)
@@ -88,7 +88,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
                                                                                CERT_X509, KEY_ANY, id, TRUE);
                                if (cert)
                                {
-                                       DBG1(DBG_IKE, "received cert request for %D",
+                                       DBG1(DBG_IKE, "received cert request for \"%D\"",
                                                 cert->get_subject(cert));
                                        auth->add_item(auth, AUTHN_CA_CERT, cert);
                                        cert->destroy(cert);
@@ -133,14 +133,14 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
                                if (first)
                                {       /* the first certificate MUST be an end entity one */
                                
-                                       DBG1(DBG_IKE, "received end entity cert %D",
+                                       DBG1(DBG_IKE, "received end entity cert \"%D\"",
                                                 cert->get_subject(cert));
                                        auth->add_item(auth, AUTHN_SUBJECT_CERT, cert);
                                        first = FALSE;
                                }
                                else
                                {
-                                       DBG1(DBG_IKE, "received issuer cert %D",
+                                       DBG1(DBG_IKE, "received issuer cert \"%D\"",
                                                 cert->get_subject(cert));
                                        auth->add_item(auth, AUTHN_IM_CERT, cert);
                                }
@@ -184,7 +184,7 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
                        req = *reqp;
                        keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
                        req->add_keyid(req, keyid->get_encoding(keyid));
-                       DBG1(DBG_IKE, "sending cert request for %D",
+                       DBG1(DBG_IKE, "sending cert request for \"%D\"",
                                 cert->get_subject(cert));
                        break;
                }
index 87971f2..565ab82 100644 (file)
@@ -502,19 +502,19 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
                                version = (object.len)? (1 + (u_int)*object.ptr) : 1;
                                if (version != OCSP_BASIC_RESPONSE_VERSION)
                                {
-                                       DBG1("OCSP ResponseData version %d not supported", version);
+                                       DBG1("  ocsp ResponseData version %d not supported", version);
                                        return FALSE;
                                }
                                break;
                        case BASIC_RESPONSE_ID_BY_NAME:
                                this->responderId = identification_create_from_encoding(
                                                                                                        ID_DER_ASN1_DN, object);
-                               DBG3("  %D", this->responderId);
+                               DBG2("  '%D'", this->responderId);
                                break;
                        case BASIC_RESPONSE_ID_BY_KEY:
                                this->responderId = identification_create_from_encoding(
                                                                                                        ID_PUBKEY_INFO_SHA1, object);
-                               DBG3("  %D", this->responderId);
+                               DBG2("  '%D'", this->responderId);
                                break;
                        case BASIC_RESPONSE_PRODUCED_AT:
                                this->producedAt = asn1totime(&object, ASN1_GENERALIZEDTIME);
@@ -527,7 +527,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
                                break;
                        case BASIC_RESPONSE_CRITICAL:
                                critical = object.len && *object.ptr;
-                               DBG3("  %s", critical ? "TRUE" : "FALSE");
+                               DBG2("  %s", critical ? "TRUE" : "FALSE");
                                break;
                        case BASIC_RESPONSE_EXT_VALUE:
                                if (extn_oid == OID_NONCE)
@@ -591,7 +591,7 @@ static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
                                case OCSP_SUCCESSFUL:
                                                break;
                                        default:
-                                               DBG1("OCSP response status: %N",
+                                               DBG1("  ocsp response status: %N",
                                                         ocsp_status_names, status);
                                                return FALSE;
                                }
@@ -605,7 +605,7 @@ static bool parse_OCSPResponse(private_x509_ocsp_response_t *this)
                                        case OID_BASIC:
                                                return parse_basicOCSPResponse(this, object, level+1);
                                        default:
-                                               DBG1("OCSP response type %#B not supported", &object);
+                                               DBG1("  ocsp response type %#B not supported", &object);
                                                return FALSE;
                                }
                                break;
index 948472c..4eead4a 100644 (file)
@@ -934,7 +934,7 @@ static int print(FILE *stream, const struct printf_info *info,
                        snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr);
                        /* TODO: whats returned on failure?*/
                        dntoa(this->encoded, &buf_chunk);
-                       return fprintf(stream, "\"%s\"", buf);
+                       return fprintf(stream, "%s", buf);
                }
                case ID_DER_ASN1_GN:
                        return fprintf(stream, "(ASN.1 general Name");