GNUTLS: Log why fingerprint generation fails

This is rudimentary but at least 1 other backend logs why too.
charybdis-ircd · Mar 1, 2017 · d8df3c9 · d8df3c9
1 parent 5d8a480
commit d8df3c9
Showing 1 changed file with 35 additions and 7 deletions.
diff --git a/libratbox/src/gnutls.c b/libratbox/src/gnutls.c
@@ -375,6 +375,7 @@ rb_load_file_into_datum_t(const char *const file)
 static int
 make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[const RB_SSL_CERTFP_LEN], const int method)
 {
+	int ret;
 	int hashlen;
 	gnutls_digest_algorithm_t md_type;
 
@@ -399,43 +400,55 @@ make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[const RB_SSL_CERTFP_LEN], con
 		md_type = GNUTLS_DIG_SHA512;
 		break;
 	default:
+		rb_lib_log("%s: invalid method %d", __func__, method);
 		return 0;
 	}
 
 	if(! spki)
 	{
 		size_t digest_size = (size_t) hashlen;
 
-		if(gnutls_x509_crt_get_fingerprint(cert, md_type, certfp, &digest_size) != 0)
+		if((ret = gnutls_x509_crt_get_fingerprint(cert, md_type, certfp, &digest_size)) != 0)
+		{
+			rb_lib_log("%s: gnutls_x509_crt_get_fingerprint: %d", __func__, ret);
 			return 0;
+		}
 
 		return hashlen;
 	}
 
 	gnutls_pubkey_t pubkey;
 
-	if(gnutls_pubkey_init(&pubkey) != 0)
+	if((ret = gnutls_pubkey_init(&pubkey)) != 0)
+	{
+		rb_lib_log("%s: gnutls_pubkey_init: %d", __func__, ret);
 		return 0;
+	}
 
-	if(gnutls_pubkey_import_x509(pubkey, cert, 0) != 0)
+	if((ret = gnutls_pubkey_import_x509(pubkey, cert, 0)) != 0)
 	{
+		rb_lib_log("%s: gnutls_pubkey_import_x509: %d", __func__, ret);
 		gnutls_pubkey_deinit(pubkey);
 		return 0;
 	}
 
 	unsigned char derkey[262144];	// Should be big enough to hold any SubjectPublicKeyInfo structure
 	size_t derkey_len = sizeof derkey;
 
-	if(gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, derkey, &derkey_len) != 0)
+	if((ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, derkey, &derkey_len)) != 0)
 	{
+		rb_lib_log("%s: gnutls_pubkey_export: %d", __func__, ret);
 		gnutls_pubkey_deinit(pubkey);
 		return 0;
 	}
 
 	gnutls_pubkey_deinit(pubkey);
 
-	if(gnutls_hash_fast(md_type, derkey, derkey_len, certfp) != 0)
+	if((ret = gnutls_hash_fast(md_type, derkey, derkey_len, certfp)) != 0)
+	{
+		rb_lib_log("%s: gnutls_hash_fast: %d", __func__, ret);
 		return 0;
+	}
 
 	return hashlen;
 }
@@ -662,23 +675,38 @@ rb_get_ssl_strerror(rb_fde_t *const F)
 int
 rb_get_ssl_certfp(rb_fde_t *const F, uint8_t certfp[const RB_SSL_CERTFP_LEN], const int method)
 {
+	int ret;
+
 	if(F == NULL || F->ssl == NULL)
+	{
+		rb_lib_log("%s: no GNUTLS context", __func__);
 		return 0;
+	}
 
 	if(gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
+	{
+		rb_lib_log("%s: not an X.509 certificate", __func__);
 		return 0;
+	}
 
 	unsigned int cert_list_size = 0;
 	const gnutls_datum_t *const cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
 	if(cert_list == NULL || cert_list_size < 1)
+	{
+		rb_lib_log("%s: no peer certificate chain returned", __func__);
 		return 0;
+	}
 
 	gnutls_x509_crt_t peer_cert;
-	if(gnutls_x509_crt_init(&peer_cert) != 0)
+	if((ret = gnutls_x509_crt_init(&peer_cert)) != 0)
+	{
+		rb_lib_log("%s: gnutls_x509_crt_init: %d", __func__, ret);
 		return 0;
+	}
 
-	if(gnutls_x509_crt_import(peer_cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
+	if((ret = gnutls_x509_crt_import(peer_cert, &cert_list[0], GNUTLS_X509_FMT_DER)) < 0)
 	{
+		rb_lib_log("%s: gnutls_x509_crt_import: %d", __func__, ret);
 		gnutls_x509_crt_deinit(peer_cert);
 		return 0;
 	}