GNUTLS: Log why fingerprint generation fails
This is rudimentary but at least 1 other backend logs why too.
This commit is contained in:
parent
5d8a480305
commit
d8df3c90de
1 changed files with 39 additions and 11 deletions
|
@ -375,6 +375,7 @@ rb_load_file_into_datum_t(const char *const file)
|
||||||
static int
|
static int
|
||||||
make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[const RB_SSL_CERTFP_LEN], const int method)
|
make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[const RB_SSL_CERTFP_LEN], const int method)
|
||||||
{
|
{
|
||||||
|
int ret;
|
||||||
int hashlen;
|
int hashlen;
|
||||||
gnutls_digest_algorithm_t md_type;
|
gnutls_digest_algorithm_t md_type;
|
||||||
|
|
||||||
|
@ -399,6 +400,7 @@ make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[const RB_SSL_CERTFP_LEN], con
|
||||||
md_type = GNUTLS_DIG_SHA512;
|
md_type = GNUTLS_DIG_SHA512;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
rb_lib_log("%s: invalid method %d", __func__, method);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -406,19 +408,26 @@ make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[const RB_SSL_CERTFP_LEN], con
|
||||||
{
|
{
|
||||||
size_t digest_size = (size_t) hashlen;
|
size_t digest_size = (size_t) hashlen;
|
||||||
|
|
||||||
if(gnutls_x509_crt_get_fingerprint(cert, md_type, certfp, &digest_size) != 0)
|
if((ret = gnutls_x509_crt_get_fingerprint(cert, md_type, certfp, &digest_size)) != 0)
|
||||||
|
{
|
||||||
|
rb_lib_log("%s: gnutls_x509_crt_get_fingerprint: %d", __func__, ret);
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
return hashlen;
|
return hashlen;
|
||||||
}
|
}
|
||||||
|
|
||||||
gnutls_pubkey_t pubkey;
|
gnutls_pubkey_t pubkey;
|
||||||
|
|
||||||
if(gnutls_pubkey_init(&pubkey) != 0)
|
if((ret = gnutls_pubkey_init(&pubkey)) != 0)
|
||||||
return 0;
|
|
||||||
|
|
||||||
if(gnutls_pubkey_import_x509(pubkey, cert, 0) != 0)
|
|
||||||
{
|
{
|
||||||
|
rb_lib_log("%s: gnutls_pubkey_init: %d", __func__, ret);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if((ret = gnutls_pubkey_import_x509(pubkey, cert, 0)) != 0)
|
||||||
|
{
|
||||||
|
rb_lib_log("%s: gnutls_pubkey_import_x509: %d", __func__, ret);
|
||||||
gnutls_pubkey_deinit(pubkey);
|
gnutls_pubkey_deinit(pubkey);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -426,16 +435,20 @@ make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[const RB_SSL_CERTFP_LEN], con
|
||||||
unsigned char derkey[262144]; // Should be big enough to hold any SubjectPublicKeyInfo structure
|
unsigned char derkey[262144]; // Should be big enough to hold any SubjectPublicKeyInfo structure
|
||||||
size_t derkey_len = sizeof derkey;
|
size_t derkey_len = sizeof derkey;
|
||||||
|
|
||||||
if(gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, derkey, &derkey_len) != 0)
|
if((ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, derkey, &derkey_len)) != 0)
|
||||||
{
|
{
|
||||||
|
rb_lib_log("%s: gnutls_pubkey_export: %d", __func__, ret);
|
||||||
gnutls_pubkey_deinit(pubkey);
|
gnutls_pubkey_deinit(pubkey);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
gnutls_pubkey_deinit(pubkey);
|
gnutls_pubkey_deinit(pubkey);
|
||||||
|
|
||||||
if(gnutls_hash_fast(md_type, derkey, derkey_len, certfp) != 0)
|
if((ret = gnutls_hash_fast(md_type, derkey, derkey_len, certfp)) != 0)
|
||||||
|
{
|
||||||
|
rb_lib_log("%s: gnutls_hash_fast: %d", __func__, ret);
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
return hashlen;
|
return hashlen;
|
||||||
}
|
}
|
||||||
|
@ -662,23 +675,38 @@ rb_get_ssl_strerror(rb_fde_t *const F)
|
||||||
int
|
int
|
||||||
rb_get_ssl_certfp(rb_fde_t *const F, uint8_t certfp[const RB_SSL_CERTFP_LEN], const int method)
|
rb_get_ssl_certfp(rb_fde_t *const F, uint8_t certfp[const RB_SSL_CERTFP_LEN], const int method)
|
||||||
{
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
if(F == NULL || F->ssl == NULL)
|
if(F == NULL || F->ssl == NULL)
|
||||||
|
{
|
||||||
|
rb_lib_log("%s: no GNUTLS context", __func__);
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if(gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
|
if(gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
|
||||||
|
{
|
||||||
|
rb_lib_log("%s: not an X.509 certificate", __func__);
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
unsigned int cert_list_size = 0;
|
unsigned int cert_list_size = 0;
|
||||||
const gnutls_datum_t *const cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
|
const gnutls_datum_t *const cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
|
||||||
if(cert_list == NULL || cert_list_size < 1)
|
if(cert_list == NULL || cert_list_size < 1)
|
||||||
|
{
|
||||||
|
rb_lib_log("%s: no peer certificate chain returned", __func__);
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
gnutls_x509_crt_t peer_cert;
|
gnutls_x509_crt_t peer_cert;
|
||||||
if(gnutls_x509_crt_init(&peer_cert) != 0)
|
if((ret = gnutls_x509_crt_init(&peer_cert)) != 0)
|
||||||
return 0;
|
|
||||||
|
|
||||||
if(gnutls_x509_crt_import(peer_cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
|
|
||||||
{
|
{
|
||||||
|
rb_lib_log("%s: gnutls_x509_crt_init: %d", __func__, ret);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if((ret = gnutls_x509_crt_import(peer_cert, &cert_list[0], GNUTLS_X509_FMT_DER)) < 0)
|
||||||
|
{
|
||||||
|
rb_lib_log("%s: gnutls_x509_crt_import: %d", __func__, ret);
|
||||||
gnutls_x509_crt_deinit(peer_cert);
|
gnutls_x509_crt_deinit(peer_cert);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue