From 82ce81ee7ad4a252aed2d6a10ea808ff18a65ffd Mon Sep 17 00:00:00 2001 From: Ryan Tandy Date: Sun, 22 Sep 2019 03:08:30 +0000 Subject: [PATCH] ITS#9086 Add debug logging for more GnuTLS errors --- libraries/libldap/tls_g.c | 56 ++++++++++++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c index f3b4cd710..249f7e8d5 100644 --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -188,9 +188,16 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf ) { int rc = -1, fd; struct stat st; + char ebuf[128]; fd = open( path, O_RDONLY ); - if ( fd >= 0 && fstat( fd, &st ) == 0 ) { + if ( fd < 0 ) { + Debug( LDAP_DEBUG_ANY, + "TLS: opening `%s' failed: %s\n", + path, AC_STRERROR_R( errno, ebuf, sizeof ebuf ), NULL ); + return -1; + } + if ( fstat( fd, &st ) == 0 ) { buf->size = st.st_size; buf->data = LDAP_MALLOC( st.st_size + 1 ); if ( buf->data ) { @@ -236,7 +243,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) ctx->cred, lt->lt_cacertfile, GNUTLS_X509_FMT_PEM ); - if ( rc < 0 ) return -1; + if ( rc < 0 ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use CA certificate file `%s': %s (%d)\n", + lo->ldo_tls_cacertfile, gnutls_strerror( rc ), rc ); + return -1; + } else if ( rc == 0 ) { + Debug( LDAP_DEBUG_ANY, + "TLS: warning: no certificate loaded from CA certificate file `%s'.\n", + lo->ldo_tls_cacertfile, NULL, NULL ); + /* only warn, no return */ + } } if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) { @@ -254,18 +271,38 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) * do some special checks here... */ rc = tlsg_getfile( lt->lt_keyfile, &buf ); - if ( rc ) return -1; + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use private key file `%s`.\n", + lt->lt_keyfile, NULL, NULL ); + return -1; + } rc = gnutls_x509_privkey_import( key, &buf, GNUTLS_X509_FMT_PEM ); LDAP_FREE( buf.data ); - if ( rc < 0 ) return rc; + if ( rc < 0 ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use private key: %s (%d)\n", + gnutls_strerror( rc ), rc, NULL ); + return rc; + } rc = tlsg_getfile( lt->lt_certfile, &buf ); - if ( rc ) return -1; + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use certificate file `%s`.\n", + lt->lt_certfile, NULL, NULL ); + return -1; + } rc = gnutls_x509_crt_list_import( certs, &max, &buf, GNUTLS_X509_FMT_PEM, 0 ); LDAP_FREE( buf.data ); - if ( rc < 0 ) return rc; + if ( rc < 0 ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use certificate: %s (%d)\n", + gnutls_strerror( rc ), rc, NULL ); + return rc; + } /* If there's only one cert and it's not self-signed, * then we have to build the cert chain. @@ -282,7 +319,12 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) } } rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key ); - if ( rc ) return -1; + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use certificate with key: %s (%d)\n", + gnutls_strerror( rc ), rc, NULL ); + return -1; + } } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) { Debug( LDAP_DEBUG_ANY, "TLS: only one of certfile and keyfile specified\n", -- 2.20.1