diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-09-01 08:38:43 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-09-01 08:38:43 +0000 |
| commit | 156bfbca4b51c5adac739235f9ff684221ff2f96 (patch) | |
| tree | 5026001843de46aee1bb483a3020f0d6e71046a2 /sbin/iked | |
| parent | 1488e02029bb9c1efcc16e0282a4b5a8a20c65fe (diff) | |
Make OCSP response status logging less verbose.
Diffstat (limited to 'sbin/iked')
| -rw-r--r-- | sbin/iked/ocsp.c | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/sbin/iked/ocsp.c b/sbin/iked/ocsp.c index d37372247b1..2baa3ca1181 100644 --- a/sbin/iked/ocsp.c +++ b/sbin/iked/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.16 2020/08/31 21:05:49 tobhe Exp $ */ +/* $OpenBSD: ocsp.c,v 1.17 2020/09/01 08:38:42 tobhe Exp $ */ /* * Copyright (c) 2014 Markus Friedl @@ -489,29 +489,31 @@ ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp) STACK_OF(X509) *verify_other = NULL; OCSP_BASICRESP *bs = NULL; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; - int reason = 0, error = 1, verify_flags = 0; + const char *errstr; + int reason = 0, valid = 0, verify_flags = 0; int status; if (!resp) { - log_warnx("%s: error querying OCSP responder", __func__); + errstr = "error querying OCSP responder"; goto done; } status = OCSP_response_status(resp); if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { - log_warnx("%s: responder error: %s (%i)\n", __func__, - OCSP_response_status_str(status), status); + errstr = OCSP_response_status_str(status); goto done; } verify_other = ocsp_load_certs(IKED_OCSP_RESPCERT); verify_flags |= OCSP_TRUSTOTHER; - if (!verify_other) + if (!verify_other) { + errstr = "no verify_other"; goto done; + } bs = OCSP_response_get1_basic(resp); if (!bs) { - log_warnx("%s: error parsing response", __func__); + errstr = "error parsing response"; goto done; } @@ -520,7 +522,7 @@ ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp) if (status == -1) log_warnx("%s: no nonce in response", __func__); else { - log_warnx("%s: nonce verify error", __func__); + errstr = "nonce verify error"; goto done; } } @@ -529,31 +531,34 @@ ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp) status = OCSP_basic_verify(bs, verify_other, store, verify_flags); if (status < 0) status = OCSP_basic_verify(bs, NULL, store, 0); - if (status <= 0) { ca_sslerror(__func__); - log_warnx("%s: response verify failure", __func__); + errstr = "response verify failure"; goto done; - } else - log_debug("%s: response verify ok", __func__); + } + log_debug("%s: response verify ok", __func__); if (!OCSP_resp_find_status(bs, ocsp->ocsp_id, &status, &reason, &rev, &thisupd, &nextupd)) { - log_warnx("%s: no status found", __func__); + errstr = "no status found"; goto done; } if (env->sc_ocsp_tolerate && !OCSP_check_validity(thisupd, nextupd, env->sc_ocsp_tolerate, env->sc_ocsp_maxage)) { - log_warnx("%s: status times invalid", __func__); ca_sslerror(__func__); + errstr = "status times invalid"; goto done; } - log_debug("%s: status: %s", __func__, OCSP_cert_status_str(status)); - if (status == V_OCSP_CERTSTATUS_GOOD) - error = 0; - + errstr = OCSP_cert_status_str(status); + if (status == V_OCSP_CERTSTATUS_GOOD) { + log_debug("%s: status: %s", __func__, errstr); + valid = 1; + } done: + if (!valid) { + log_debug("%s: status: %s", __func__, errstr); + } if (store) X509_STORE_free(store); if (verify_other) @@ -563,7 +568,7 @@ ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp) if (bs) OCSP_BASICRESP_free(bs); - ocsp_validate_finish(ocsp, error == 0); + ocsp_validate_finish(ocsp, valid); } /* |