[Spice-devel] [PATCH spice-common 4/4] Add 'common_ssl' Spice log
marcandre.lureau at redhat.com
marcandre.lureau at redhat.com
Mon Jun 12 08:19:54 UTC 2017
From: Marc-André Lureau <marcandre.lureau at redhat.com>
Show usage of a Spice log category.
Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
---
common/ssl_verify.c | 54 +++++++++++++++++++++++++++--------------------------
1 file changed, 28 insertions(+), 26 deletions(-)
diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 4b963bc..2d1a136 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -33,6 +33,8 @@
#include <string.h>
#include <gio/gio.h>
+SPICE_LOG_CATEGORY(common_ssl, "SSL verification")
+
#if OPENSSL_VERSION_NUMBER < 0x10100000
static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1)
{
@@ -51,36 +53,36 @@ static int verify_pubkey(X509* cert, const char *key, size_t key_size)
return 0;
if (!cert) {
- g_debug("warning: no cert!");
+ spice_log(common_ssl, "warning: no cert!");
return 0;
}
cert_pubkey = X509_get_pubkey(cert);
if (!cert_pubkey) {
- g_debug("warning: reading public key from certificate failed");
+ spice_log(common_ssl, "warning: reading public key from certificate failed");
goto finish;
}
bio = BIO_new_mem_buf((void*)key, key_size);
if (!bio) {
- g_debug("creating BIO failed");
+ spice_log(common_ssl, "creating BIO failed");
goto finish;
}
orig_pubkey = d2i_PUBKEY_bio(bio, NULL);
if (!orig_pubkey) {
- g_debug("reading pubkey from bio failed");
+ spice_log(common_ssl, "reading pubkey from bio failed");
goto finish;
}
ret = EVP_PKEY_cmp(orig_pubkey, cert_pubkey);
if (ret == 1) {
- g_debug("public keys match");
+ spice_log(common_ssl, "public keys match");
} else if (ret == 0) {
- g_debug("public keys mismatch");
+ spice_log(common_ssl, "public keys mismatch");
} else {
- g_debug("public keys types mismatch");
+ spice_log(common_ssl, "public keys types mismatch");
}
finish:
@@ -162,7 +164,7 @@ static int verify_hostname(X509* cert, const char *hostname)
g_return_val_if_fail(hostname != NULL, 0);
if (!cert) {
- g_debug("warning: no cert!");
+ spice_log(common_ssl, "warning: no cert!");
return 0;
}
@@ -192,7 +194,7 @@ static int verify_hostname(X509* cert, const char *hostname)
if (_gnutls_hostname_compare((const char *)ASN1_STRING_get0_data(name->d.dNSName),
ASN1_STRING_length(name->d.dNSName),
hostname)) {
- g_debug("alt name match=%s", ASN1_STRING_get0_data(name->d.dNSName));
+ spice_log(common_ssl, "alt name match=%s", ASN1_STRING_get0_data(name->d.dNSName));
GENERAL_NAMES_free(subject_alt_names);
return 1;
}
@@ -222,7 +224,7 @@ static int verify_hostname(X509* cert, const char *hostname)
alt_ip = g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name->d.iPAddress),
g_inet_address_get_family(ip));
alt_ip_string = g_inet_address_to_string(alt_ip);
- g_debug("alt name IP match=%s", alt_ip_string);
+ spice_log(common_ssl, "alt name IP match=%s", alt_ip_string);
g_free(alt_ip_string);
g_object_unref(alt_ip);
@@ -239,7 +241,7 @@ static int verify_hostname(X509* cert, const char *hostname)
}
if (found_dns_name) {
- g_debug("warning: SubjectAltName mismatch");
+ spice_log(common_ssl, "warning: SubjectAltName mismatch");
return 0;
}
@@ -263,7 +265,7 @@ static int verify_hostname(X509* cert, const char *hostname)
if (_gnutls_hostname_compare((const char*)ASN1_STRING_get0_data(cn_asn1),
ASN1_STRING_length(cn_asn1),
hostname)) {
- g_debug("common name match=%s", (char*)ASN1_STRING_get0_data(cn_asn1));
+ spice_log(common_ssl, "common name match=%s", (char*)ASN1_STRING_get0_data(cn_asn1));
cn_match = 1;
break;
}
@@ -271,7 +273,7 @@ static int verify_hostname(X509* cert, const char *hostname)
}
if (!cn_match) {
- g_debug("warning: common name mismatch");
+ spice_log(common_ssl, "warning: common name mismatch");
}
return cn_match;
@@ -295,7 +297,7 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries)
in_subject = X509_NAME_new();
if (!in_subject || !key || !val) {
- g_debug("failed to allocate");
+ spice_log(common_ssl, "failed to allocate");
return NULL;
}
@@ -308,7 +310,7 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries)
if (*p == '\\') {
++p;
if (*p != '\\' && *p != ',') {
- g_debug("Invalid character after \\");
+ spice_log(common_ssl, "Invalid character after \\");
goto fail;
}
escape = 1;
@@ -342,7 +344,7 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries)
MBSTRING_UTF8,
(const unsigned char*)val,
-1, -1, 0)) {
- g_debug("warning: failed to add entry %s=%s to X509_NAME",
+ spice_log(common_ssl, "warning: failed to add entry %s=%s to X509_NAME",
key, val);
goto fail;
}
@@ -377,25 +379,25 @@ static int verify_subject(X509* cert, SpiceOpenSSLVerify* verify)
int in_entries;
if (!cert) {
- g_debug("warning: no cert!");
+ spice_log(common_ssl, "warning: no cert!");
return 0;
}
cert_subject = X509_get_subject_name(cert);
if (!cert_subject) {
- g_debug("warning: reading certificate subject failed");
+ spice_log(common_ssl, "warning: reading certificate subject failed");
return 0;
}
in_subject = subject_to_x509_name(verify->subject, &in_entries);
if (!in_subject) {
- g_debug("warning: no in_subject!");
+ spice_log(common_ssl, "warning: no in_subject!");
return 0;
}
/* Note: this check is redundant with the pre-condition in X509_NAME_cmp */
if (X509_NAME_entry_count(cert_subject) != in_entries) {
- g_debug("subject mismatch: #entries cert=%d, input=%d",
+ spice_log(common_ssl, "subject mismatch: #entries cert=%d, input=%d",
X509_NAME_entry_count(cert_subject), in_entries);
X509_NAME_free(in_subject);
return 0;
@@ -404,17 +406,17 @@ static int verify_subject(X509* cert, SpiceOpenSSLVerify* verify)
ret = X509_NAME_cmp(cert_subject, in_subject);
if (ret == 0) {
- g_debug("subjects match");
+ spice_log(common_ssl, "subjects match");
} else {
char *p;
- g_debug("subjects mismatch");
+ spice_log(common_ssl, "subjects mismatch");
p = X509_NAME_oneline(cert_subject, NULL, 0);
- g_debug("cert_subject: %s", p);
+ spice_log(common_ssl, "cert_subject: %s", p);
free(p);
p = X509_NAME_oneline(in_subject, NULL, 0);
- g_debug("in_subject: %s", p);
+ spice_log(common_ssl, "in_subject: %s", p);
free(p);
}
X509_NAME_free(in_subject);
@@ -451,7 +453,7 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
return 1;
if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
- g_debug("server certificate not being signed by the provided CA");
+ spice_log(common_ssl, "server certificate not being signed by the provided CA");
return 0;
} else
@@ -460,7 +462,7 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
/* depth == 0 */
if (!cert) {
- g_debug("failed to get server certificate");
+ spice_log(common_ssl, "failed to get server certificate");
return 0;
}
--
2.13.0.91.g00982b8dd
More information about the Spice-devel
mailing list