summaryrefslogtreecommitdiffstats
path: root/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch
blob: c39124409e2fc2dc942dce12a128c652881a4e79 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
From 82ce81ee7ad4a252aed2d6a10ea808ff18a65ffd Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Sun, 22 Sep 2019 03:08:30 +0000
Subject: [PATCH] ITS#9086 Add debug logging for more GnuTLS errors

---
 libraries/libldap/tls_g.c | 56 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 7 deletions(-)

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index f3b4cd710..249f7e8d5 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -188,9 +188,16 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf )
 {
 	int rc = -1, fd;
 	struct stat st;
+	char ebuf[128];
 
 	fd = open( path, O_RDONLY );
-	if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
+	if ( fd < 0 ) {
+		Debug( LDAP_DEBUG_ANY,
+			"TLS: opening `%s' failed: %s\n",
+			path, AC_STRERROR_R( errno, ebuf, sizeof ebuf ), NULL );
+		return -1;
+	}
+	if ( fstat( fd, &st ) == 0 ) {
 		buf->size = st.st_size;
 		buf->data = LDAP_MALLOC( st.st_size + 1 );
 		if ( buf->data ) {
@@ -236,7 +243,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 			ctx->cred,
 			lt->lt_cacertfile,
 			GNUTLS_X509_FMT_PEM );
-		if ( rc < 0 ) return -1;
+		if ( rc < 0 ) {
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: could not use CA certificate file `%s': %s (%d)\n",
+				lo->ldo_tls_cacertfile, gnutls_strerror( rc ), rc );
+			return -1;
+		} else if ( rc == 0 ) {
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: warning: no certificate loaded from CA certificate file `%s'.\n",
+				lo->ldo_tls_cacertfile, NULL, NULL );
+			/* only warn, no return */
+		}
 	}
 
 	if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
@@ -254,18 +271,38 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		 * do some special checks here...
 		 */
 		rc = tlsg_getfile( lt->lt_keyfile, &buf );
-		if ( rc ) return -1;
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: could not use private key file `%s`.\n",
+				lt->lt_keyfile, NULL, NULL );
+			return -1;
+		}
 		rc = gnutls_x509_privkey_import( key, &buf,
 			GNUTLS_X509_FMT_PEM );
 		LDAP_FREE( buf.data );
-		if ( rc < 0 ) return rc;
+		if ( rc < 0 ) {
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: could not use private key: %s (%d)\n",
+				gnutls_strerror( rc ), rc, NULL );
+			return rc;
+		}
 
 		rc = tlsg_getfile( lt->lt_certfile, &buf );
-		if ( rc ) return -1;
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: could not use certificate file `%s`.\n",
+				lt->lt_certfile, NULL, NULL );
+			return -1;
+		}
 		rc = gnutls_x509_crt_list_import( certs, &max, &buf,
 			GNUTLS_X509_FMT_PEM, 0 );
 		LDAP_FREE( buf.data );
-		if ( rc < 0 ) return rc;
+		if ( rc < 0 ) {
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: could not use certificate: %s (%d)\n",
+				gnutls_strerror( rc ), rc, NULL );
+			return rc;
+		}
 
 		/* If there's only one cert and it's not self-signed,
 		 * then we have to build the cert chain.
@@ -282,7 +319,12 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 			}
 		}
 		rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
-		if ( rc ) return -1;
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: could not use certificate with key: %s (%d)\n",
+				gnutls_strerror( rc ), rc, NULL );
+			return -1;
+		}
 	} else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
 		Debug( LDAP_DEBUG_ANY, 
 		       "TLS: only one of certfile and keyfile specified\n",
-- 
2.20.1