[Pvfs2-cvs] commit by nlmills in pvfs2/src/common/security: pint-security.c

CVS commit program cvs at parl.clemson.edu
Thu Dec 4 17:23:01 EST 2008


Update of /anoncvs/pvfs2/src/common/security
In directory parlweb1:/tmp/cvs-serv16526/src/common/security

Modified Files:
      Tag: cu-security-branch
	pint-security.c 
Log Message:
bug fixes and error reporting


Index: pint-security.c
===================================================================
RCS file: /anoncvs/pvfs2/src/common/security/Attic/pint-security.c,v
diff -p -u -r1.1.2.52 -r1.1.2.53
--- pint-security.c	4 Dec 2008 03:18:34 -0000	1.1.2.52
+++ pint-security.c	4 Dec 2008 22:23:00 -0000	1.1.2.53
@@ -361,6 +361,7 @@ int PINT_verify_certificate(const char *
     EVP_PKEY *pkey;
     EVP_MD_CTX mdctx;
     const EVP_MD *md;
+    unsigned long err;
     int ret;
 
     if (!certstr || !signature || (sig_size == 0))
@@ -373,14 +374,20 @@ int PINT_verify_certificate(const char *
     certbio = BIO_new_mem_buf((char*)certstr, -1);
     if (!certbio)
     {
-        /* TODO: log error message */
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         return -PVFS_EINVAL;
     }
 
     cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
     if (!cert)
     {
-        /* TODO: log error message */
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         return -PVFS_EINVAL;
     }
     BIO_vfree(certbio);
@@ -388,15 +395,21 @@ int PINT_verify_certificate(const char *
     store_ctx = X509_STORE_CTX_new();
     if (!store_ctx)
     {
-        /* TODO: log error message */
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         X509_free(cert);
-        return -PVFS_EINVAL;
+        return -PVFS_ENOMEM;
     }
     /* XXX: previous versions did not return a value */
     ret = X509_STORE_CTX_init(store_ctx, security_store, cert, NULL);
     if (!ret)
     {
-        /* TODO: log error message */
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         X509_STORE_CTX_free(store_ctx);
         X509_free(cert);
         return -PVFS_EINVAL;
@@ -405,19 +418,29 @@ int PINT_verify_certificate(const char *
 
     ret = X509_verify_cert(store_ctx);
     X509_STORE_CTX_free(store_ctx);
-    if (ret <= 0)
+    if (ret == 0)
     {
-        /* TODO: log error message */
-        X509_free(cert);
         return -PVFS_EPERM;
     }
+    else if (ret < 0)
+    {
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
+        X509_free(cert);
+        return -PVFS_EINVAL;
+    }
 
     /* TODO: ensure ref counting keeps key from being freed with cert */
     pkey = X509_get_pubkey(cert);
     X509_free(cert);
     if (!pkey)
     {
-        /* TODO: log error message */
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         return -PVFS_EINVAL;
     }
 
@@ -436,14 +459,20 @@ int PINT_verify_certificate(const char *
     ret = EVP_VerifyInit_ex(&mdctx, md, NULL);
     if (!ret)
     {
-        /* TODO: log error message */
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         return -PVFS_EINVAL;
     }
    
     ret = EVP_VerifyUpdate(&mdctx, certstr, strlen(certstr));
     if (!ret)
     {
-        /* TODO: log error message */
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         return -PVFS_EINVAL;
     }
 
@@ -452,10 +481,16 @@ int PINT_verify_certificate(const char *
     EVP_PKEY_free(pkey);
     if (ret == 0)
     {
+        gossip_debug(GOSSIP_SECURITY_DEBUG,
+            "Certificate verification error: invalid client signature\n");
         return -PVFS_EPERM;
     }
     else if (ret == -1)
     {
+        err = ERR_get_error();
+        gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
+                     ERR_func_error_string(err),
+                     ERR_reason_error_string(err));
         return -PVFS_EINVAL;
     }
 
@@ -1093,9 +1128,17 @@ static int load_ca_bundle(const char *pa
     return 0;
 }
 
-/* TODO: implement me */
 static int verify_callback(int ok, X509_STORE_CTX *ctx)
 {
+    if (!ok)
+    {
+        int err;
+        err = X509_STORE_CTX_get_error(ctx);
+        gossip_debug(GOSSIP_SECURITY_DEBUG,
+                     "Certificate verification error: %s\n",
+                     X509_verify_cert_error_string(err));
+    }
+
     return ok;
 }
 



More information about the Pvfs2-cvs mailing list