[git] NTBTLS - branch, master, updated. b5cbe683800f431737fa47d96edd9e5bdbeb374b
by Werner Koch
cvs at cvs.gnupg.org
Fri Jan 27 17:09:05 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Not Too Bad TLS".
The branch, master has been updated
via b5cbe683800f431737fa47d96edd9e5bdbeb374b (commit)
from af472e2554bf8b8ed0c3387a7625a65792e85ffb (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b5cbe683800f431737fa47d96edd9e5bdbeb374b
Author: Werner Koch <wk at gnupg.org>
Date: Fri Jan 27 17:06:29 2017 +0100
In debug mode write some infos about the certificates.
* src/debug.c (_ntbtls_debug_msg): Add hack to not print the final LF.
(_ntbtls_debug_crt): New.
* src/util.h (debug_crt): New macro.
* src/x509.c (x509_log_serial, x509_log_time): New.
(_ntbtls_x509_log_cert): New.
* src/protocol-cli.c (read_server_hello): Tweak debug levels.
* src/protocol.c (_ntbtls_read_certificate): Call debug_crt.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/src/debug.c b/src/debug.c
index e5fc2b0..7772eda 100644
--- a/src/debug.c
+++ b/src/debug.c
@@ -50,24 +50,32 @@ _ntbtls_set_debug (int level, const char *prefix, gpgrt_stream_t stream)
-/* FIXME: For now we print to stderr. */
+/* FIXME: For now we print to stderr. Note that a LEVEL of -1 will
+ * always print even when debugging has not been enabled. */
void
_ntbtls_debug_msg (int level, const char *format, ...)
{
va_list arg_ptr;
int saved_errno;
+ int no_lf;
- if (!debug_level || level > debug_level)
+ if (level != -1 && (!debug_level || level > debug_level))
return;
+ if ((no_lf = (*format == '\b')))
+ format++;
+
saved_errno = errno;
va_start (arg_ptr, format);
gpgrt_fputs ("ntbtls: ", es_stderr);
gpgrt_vfprintf (es_stderr, format, arg_ptr);
- if (*format && format[strlen(format)-1] != '\n')
+ if (no_lf)
+ gpgrt_fflush (es_stderr); /* To sync with stderr. */
+ else if (*format && format[strlen(format)-1] != '\n')
gpgrt_fputc ('\n', es_stderr);
va_end (arg_ptr);
gpg_err_set_errno (saved_errno);
+
}
@@ -128,3 +136,13 @@ _ntbtls_debug_sxp (int level, const char *text, gcry_sexp_t a)
gcry_log_debugsxp (text, a);
}
+
+
+void
+_ntbtls_debug_crt (int level, const char *text, x509_cert_t chain)
+{
+ if (!debug_level || level > debug_level)
+ return;
+
+ _ntbtls_x509_log_cert (text, chain, (debug_level > 1));
+}
diff --git a/src/ntbtls-int.h b/src/ntbtls-int.h
index 246294d..cfc5e72 100644
--- a/src/ntbtls-int.h
+++ b/src/ntbtls-int.h
@@ -372,6 +372,7 @@ gpg_error_t _ntbtls_x509_cert_new (x509_cert_t *r_cert);
void _ntbtls_x509_cert_release (x509_cert_t crt);
gpg_error_t _ntbtls_x509_append_cert (x509_cert_t cert,
const void *der, size_t derlen);
+void _ntbtls_x509_log_cert (const char *text, x509_cert_t chain, int full);
const unsigned char *_ntbtls_x509_get_cert (x509_cert_t cert, int idx,
size_t *r_derlen);
gpg_error_t _ntbtls_x509_get_pk (x509_cert_t cert, int idx, gcry_sexp_t *r_pk);
diff --git a/src/protocol-cli.c b/src/protocol-cli.c
index 787f11f..d341833 100644
--- a/src/protocol-cli.c
+++ b/src/protocol-cli.c
@@ -794,7 +794,7 @@ read_server_hello (ntbtls_t tls)
return gpg_error (GPG_ERR_UNEXPECTED_MSG);
}
- debug_msg (3, "server_hello, chosen version: [%d:%d]", buf[4], buf[5]);
+ debug_msg (1, "server_hello, chosen version: [%d:%d]", buf[4], buf[5]);
if (tls->in_hslen < 42
|| buf[0] != TLS_HS_SERVER_HELLO
@@ -910,7 +910,8 @@ read_server_hello (ntbtls_t tls)
debug_msg (3, "%s session has been resumed",
tls->handshake->resume ? "a" : "no");
- debug_msg (3, "server_hello, chosen ciphersuite: %d", suite_id);
+ debug_msg (1, "server_hello, chosen ciphersuite: %d (%s)",
+ suite_id, _ntbtls_ciphersuite_get_name (suite_id));
debug_msg (3, "server_hello, compress alg.: %d", buf[41 + n]);
/* Check that we support the cipher suite. */
@@ -953,7 +954,7 @@ read_server_hello (ntbtls_t tls)
switch (ext_id)
{
case TLS_EXT_RENEGOTIATION_INFO:
- debug_msg (3, "found renegotiation extension");
+ debug_msg (2, "found renegotiation extension");
renegotiation_info_seen = 1;
err = parse_renegotiation_info (tls, ext + 4, ext_size);
if (err)
@@ -961,42 +962,42 @@ read_server_hello (ntbtls_t tls)
break;
case TLS_EXT_MAX_FRAGMENT_LENGTH:
- debug_msg (3, "found max_fragment_length extension");
+ debug_msg (2, "found max_fragment_length extension");
err = parse_max_fragment_length_ext (tls, ext + 4, ext_size);
if (err)
return err;
break;
case TLS_EXT_TRUNCATED_HMAC:
- debug_msg (3, "found truncated_hmac extension");
+ debug_msg (2, "found truncated_hmac extension");
err = parse_truncated_hmac_ext (tls, ext + 4, ext_size);
if (err)
return err;
break;
case TLS_EXT_SESSION_TICKET:
- debug_msg (3, "found session_ticket extension");
+ debug_msg (2, "found session_ticket extension");
err = parse_session_ticket_ext (tls, ext + 4, ext_size);
if (err)
return err;
break;
case TLS_EXT_SUPPORTED_POINT_FORMATS:
- debug_msg (3, "found supported_point_formats extension");
+ debug_msg (2, "found supported_point_formats extension");
err = parse_supported_point_formats_ext (tls, ext + 4, ext_size);
if (err)
return err;
break;
case TLS_EXT_ALPN:
- debug_msg (3, "found alpn extension");
+ debug_msg (2, "found alpn extension");
err = parse_alpn_ext (tls, ext + 4, ext_size);
if (err)
return err;
break;
default:
- debug_msg (3, "unknown extension found: %d (ignoring)", ext_id);
+ debug_msg (2, "unknown extension found: %d (ignoring)", ext_id);
break;
}
diff --git a/src/protocol.c b/src/protocol.c
index f616bca..d46238d 100644
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -1874,7 +1874,7 @@ _ntbtls_read_certificate (ntbtls_t tls)
return 0;
}
- debug_msg (2, "read certificate");
+ debug_msg (3, "read certificate");
err = _ntbtls_read_record (tls);
if (err)
@@ -1966,7 +1966,7 @@ _ntbtls_read_certificate (ntbtls_t tls)
i += n;
}
- //FIXME: debug_crt (3, "peer certificate", tls->session_negotiate->peer_chain);
+ debug_crt (1, "peer certificate", tls->session_negotiate->peer_chain);
/*
* On client, make sure the server cert doesn't change during renego to
diff --git a/src/util.h b/src/util.h
index 1c470b0..9e49111 100644
--- a/src/util.h
+++ b/src/util.h
@@ -103,6 +103,7 @@ void _ntbtls_debug_bug (const char *file, int line);
void _ntbtls_debug_ret (int level, const char *name, gpg_error_t err);
void _ntbtls_debug_mpi (int level, const char *text, gcry_mpi_t a);
void _ntbtls_debug_sxp (int level, const char *text, gcry_sexp_t a);
+void _ntbtls_debug_crt (int level, const char *text, x509_cert_t chain);
#define debug_msg _ntbtls_debug_msg
#define debug_buf(a,b,c,d) _ntbtls_debug_buf ((a),(b),(c),(d))
@@ -110,6 +111,7 @@ void _ntbtls_debug_sxp (int level, const char *text, gcry_sexp_t a);
#define debug_ret(l,n,e) _ntbtls_debug_ret ((l),(n),(e))
#define debug_mpi(l,t,a) _ntbtls_debug_mpi ((l),(t),(a))
#define debug_sxp(l,t,a) _ntbtls_debug_sxp ((l),(t),(a))
+#define debug_crt(l,t,a) _ntbtls_debug_crt ((l),(t),(a))
diff --git a/src/x509.c b/src/x509.c
index 595839d..6cf8f57 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -126,6 +126,98 @@ _ntbtls_x509_append_cert (x509_cert_t cert, const void *der, size_t derlen)
}
+static void
+x509_log_serial (const char *text, ksba_sexp_t sn)
+{
+ const char *p = (const char *)sn;
+ unsigned long n;
+ char *endp;
+
+ if (!p)
+ _ntbtls_debug_msg (-1, "%s: none", text);
+ else if (*p != '(')
+ _ntbtls_debug_msg (-1, "%s: [Internal error - not an S-expression]", text);
+ else
+ {
+ p++;
+ n = strtoul (p, &endp, 10);
+ p = endp;
+ if (*p++ != ':')
+ _ntbtls_debug_msg (-1, "%s: [Internal error - invalid S-expression]",
+ text);
+ else
+ {
+ _ntbtls_debug_msg (-1, "\b%s: ", text);
+ gcry_log_debughex ("", p, n);
+ }
+ }
+}
+
+
+static void
+x509_log_time (const char *text, ksba_isotime_t t)
+{
+ if (!t || !*t)
+ _ntbtls_debug_msg (-1, "%s: none", text);
+ else
+ _ntbtls_debug_msg (-1, "%s: %.4s-%.2s-%.2s %.2s:%.2s:%s",
+ text, t, t+4, t+6, t+9, t+11, t+13);
+}
+
+
+void
+_ntbtls_x509_log_cert (const char *text, x509_cert_t chain_arg, int full)
+{
+ gpg_error_t err;
+ x509_cert_t chain;
+ ksba_cert_t cert;
+ ksba_sexp_t sexp;
+ int idx;
+ char *dn;
+ ksba_isotime_t t;
+ const char *oid;
+
+ for (idx=0, chain= chain_arg; chain && (cert = chain->crt);
+ chain = chain->next)
+ idx++;
+
+ _ntbtls_debug_msg (-1, "%s: chain length=%d", text, idx);
+ for (chain = chain_arg; full && chain && (cert = chain->crt);
+ chain = chain->next)
+ {
+ sexp = ksba_cert_get_serial (cert);
+ x509_log_serial (" serial", sexp);
+ ksba_free (sexp);
+
+ for (idx = 0; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
+ {
+ if (!idx)
+ _ntbtls_debug_msg (-1, " issuer: %s\n", dn);
+ else
+ _ntbtls_debug_msg (-1, " aka: %s\n", dn);
+ ksba_free (dn);
+ }
+
+ for (idx = 0; (dn = ksba_cert_get_subject (cert, idx)); idx++)
+ {
+ if (!idx)
+ _ntbtls_debug_msg (-1, " subject: %s\n", dn);
+ else
+ _ntbtls_debug_msg (-1, " aka: %s\n", dn);
+ ksba_free (dn);
+ }
+
+ ksba_cert_get_validity (cert, 0, t);
+ x509_log_time (" notBefore", t);
+ ksba_cert_get_validity (cert, 1, t);
+ x509_log_time (" notAfter", t);
+
+ oid = ksba_cert_get_digest_algo (cert);
+ _ntbtls_debug_msg (-1, " hashAlgo: %s", oid);
+ }
+}
+
+
/* Return a pointer to the DER encoding of the certificate and store
its length at R_DERLEN. IDX is the requested number of the
certificate; ie. IDX of 0 return the first certificate stored
-----------------------------------------------------------------------
Summary of changes:
src/debug.c | 24 ++++++++++++--
src/ntbtls-int.h | 1 +
src/protocol-cli.c | 19 +++++------
src/protocol.c | 4 +--
src/util.h | 2 ++
src/x509.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 128 insertions(+), 14 deletions(-)
hooks/post-receive
--
Not Too Bad TLS
http://git.gnupg.org
More information about the Gnupg-commits
mailing list