Clean up comments, mark more branches as BUG.

src/or/channeltls.c

@@ -2219,8 +2219,11 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan)
   }
 
   /* Length of random part. */
-  if (bodylen < 24)
+  if (BUG(bodylen < 24)) {
+    // LCOV_EXCL_START
     ERR("Bodylen is somehow less than 24, which should really be impossible");
+    // LCOV_EXCL_STOP
+  }
 
   if (tor_memneq(expected_cell->payload+4, auth, bodylen-24))
     ERR("Some field in the AUTHENTICATE cell body was not as expected");
@@ -2239,8 +2242,11 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan)
     size_t keysize;
     int signed_len;
 
-    if (!pk)
+    if (BUG(!pk)) {
+      // LCOV_EXCL_START
       ERR("Internal error: couldn't get RSA key from AUTH cert.");
+      // LCOV_EXCL_STOP
+    }
     crypto_digest256(d, (char*)auth, V3_AUTH_BODY_LEN, DIGEST_SHA256);
 
     keysize = crypto_pk_keysize(pk);

src/or/torcert.c

@@ -471,9 +471,6 @@ or_handshake_certs_rsa_ok(int severity,
   } else {
     if (! (id_cert && auth_cert))
       ERR("The certs we wanted (ID, Auth) were missing");
-    /* Remember these certificates so we can check an AUTHENTICATE cell
-     * XXXX make sure we do that
-     */
     if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, auth_cert, id_cert, now, 1))
       ERR("The authentication certificate was not valid");
     if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, now, 1))
@@ -517,6 +514,9 @@ or_handshake_certs_ed25519_ok(int severity,
       /* check for a match with the TLS cert. */
       tor_x509_cert_t *peer_cert = tor_tls_get_peer_cert(tls);
       if (BUG(!peer_cert)) {
+        /* This is a bug, because if we got to this point, we are a connection
+         * that was initiated here, and we completed a TLS handshake. The
+         * other side *must* have given us a certificate! */
         ERR("No x509 peer cert"); // LCOV_EXCL_LINE
       }
       const common_digests_t *peer_cert_digests =