diff options
Diffstat (limited to 'debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch')
| -rw-r--r-- | debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch b/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch new file mode 100644 index 0000000..c391244 --- /dev/null +++ b/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch @@ -0,0 +1,110 @@ +From 82ce81ee7ad4a252aed2d6a10ea808ff18a65ffd Mon Sep 17 00:00:00 2001 +From: Ryan Tandy <ryan@nardis.ca> +Date: Sun, 22 Sep 2019 03:08:30 +0000 +Subject: [PATCH] ITS#9086 Add debug logging for more GnuTLS errors + +--- + libraries/libldap/tls_g.c | 56 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 49 insertions(+), 7 deletions(-) + +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index f3b4cd710..249f7e8d5 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -188,9 +188,16 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf ) + { + int rc = -1, fd; + struct stat st; ++ char ebuf[128]; + + fd = open( path, O_RDONLY ); +- if ( fd >= 0 && fstat( fd, &st ) == 0 ) { ++ if ( fd < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: opening `%s' failed: %s\n", ++ path, AC_STRERROR_R( errno, ebuf, sizeof ebuf ), NULL ); ++ return -1; ++ } ++ if ( fstat( fd, &st ) == 0 ) { + buf->size = st.st_size; + buf->data = LDAP_MALLOC( st.st_size + 1 ); + if ( buf->data ) { +@@ -236,7 +243,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + ctx->cred, + lt->lt_cacertfile, + GNUTLS_X509_FMT_PEM ); +- if ( rc < 0 ) return -1; ++ if ( rc < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use CA certificate file `%s': %s (%d)\n", ++ lo->ldo_tls_cacertfile, gnutls_strerror( rc ), rc ); ++ return -1; ++ } else if ( rc == 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: warning: no certificate loaded from CA certificate file `%s'.\n", ++ lo->ldo_tls_cacertfile, NULL, NULL ); ++ /* only warn, no return */ ++ } + } + + if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) { +@@ -254,18 +271,38 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + * do some special checks here... + */ + rc = tlsg_getfile( lt->lt_keyfile, &buf ); +- if ( rc ) return -1; ++ if ( rc ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use private key file `%s`.\n", ++ lt->lt_keyfile, NULL, NULL ); ++ return -1; ++ } + rc = gnutls_x509_privkey_import( key, &buf, + GNUTLS_X509_FMT_PEM ); + LDAP_FREE( buf.data ); +- if ( rc < 0 ) return rc; ++ if ( rc < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use private key: %s (%d)\n", ++ gnutls_strerror( rc ), rc, NULL ); ++ return rc; ++ } + + rc = tlsg_getfile( lt->lt_certfile, &buf ); +- if ( rc ) return -1; ++ if ( rc ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate file `%s`.\n", ++ lt->lt_certfile, NULL, NULL ); ++ return -1; ++ } + rc = gnutls_x509_crt_list_import( certs, &max, &buf, + GNUTLS_X509_FMT_PEM, 0 ); + LDAP_FREE( buf.data ); +- if ( rc < 0 ) return rc; ++ if ( rc < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate: %s (%d)\n", ++ gnutls_strerror( rc ), rc, NULL ); ++ return rc; ++ } + + /* If there's only one cert and it's not self-signed, + * then we have to build the cert chain. +@@ -282,7 +319,12 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + } + } + rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key ); +- if ( rc ) return -1; ++ if ( rc ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate with key: %s (%d)\n", ++ gnutls_strerror( rc ), rc, NULL ); ++ return -1; ++ } + } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) { + Debug( LDAP_DEBUG_ANY, + "TLS: only one of certfile and keyfile specified\n", +-- +2.20.1 + |