mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

CLEANUP: ssl: make ssl_sock_load_dh_params handle errcode/warn

Browse Source 
ssl_sock_load_dh_params used to return >0 or -1 to indicate success
or failure. Make it return a set of ERR_* instead so that its callers
can transparently report its status. Given that its callers only used
to know about ERR_ALERT | ERR_FATAL, this is the only code returned
for now. An error message was added in the case of failure and the
comment was updated.
This commit is contained in:
Emeric Brun 2019-10-17 13:27:40 +02:00 committed by Willy Tarreau
parent a96b582d0e
commit 7a88336cf8
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/ssl_sock.c
View File

@ -2774,17 +2774,27 @@ static void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf
struct eb_root ckchs_tree = EB_ROOT_UNIQUE; struct eb_root ckchs_tree = EB_ROOT_UNIQUE;
/* Loads Diffie-Hellman parameter from a ckchs. Returns 1 if loaded, else -1 /* Loads Diffie-Hellman parameter from a ckchs to an SSL_CTX.
if an error occurred, and 0 if parameter not found. */ * If there is no DH paramater availaible in the ckchs, the global
* DH parameter is loaded into the SSL_CTX and if there is no
* DH parameter available in ckchs nor in global, the default
* DH parameters are applied on the SSL_CTX.
* Returns a bitfield containing the flags:
* ERR_FATAL in any fatal error case
* ERR_ALERT if a reason of the error is availabine in err
* ERR_WARN if a warning is available into err
* The value 0 means there is no error nor warning and
* the operation succeed.
*/
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain *ckch) static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain *ckch,
const char *path, char **err)
{ {
int ret = -1; int ret = 0;
DH *dh = NULL; DH *dh = NULL;
if (ckch && ckch->dh) { if (ckch && ckch->dh) {
dh = ckch->dh; dh = ckch->dh;
ret = 1;
SSL_CTX_set_tmp_dh(ctx, dh); SSL_CTX_set_tmp_dh(ctx, dh);
if (ssl_dh_ptr_index >= 0) { if (ssl_dh_ptr_index >= 0) {
@ -2795,7 +2805,6 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
} }
else if (global_dh) { else if (global_dh) {
SSL_CTX_set_tmp_dh(ctx, global_dh); SSL_CTX_set_tmp_dh(ctx, global_dh);
ret = 0; /* DH params not found */
} }
else { else {
/* Clear openssl global errors stack */ /* Clear openssl global errors stack */
@ -2806,16 +2815,18 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
if (local_dh_1024 == NULL) if (local_dh_1024 == NULL)
local_dh_1024 = ssl_get_dh_1024(); local_dh_1024 = ssl_get_dh_1024();
if (local_dh_1024 == NULL) if (local_dh_1024 == NULL) {
memprintf(err, "%sunable to load default 1024 bits DH parameter for certificate '%s'.\n",
err && *err ? *err : "", path);
ret |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
}
SSL_CTX_set_tmp_dh(ctx, local_dh_1024); SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
} }
else { else {
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh); SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
} }
ret = 0; /* DH params not found */
} }
end: end:
@ -3107,10 +3118,10 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL); SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
} }
if (ssl_sock_load_dh_params(ctx, ckch, err) < 0) { errcode |= ssl_sock_load_dh_params(ctx, ckch, path, err);
if (errcode & ERR_CODE) {
memprintf(err, "%sunable to load DH parameters from file '%s'.\n", memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
#endif #endif