mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn

Browse Source 
ssl_sock_put_ckch_into_ctx used to return 0 or >0 to indicate success
or failure. Make it return a set of ERR_* instead so that its callers
can transparently report its status. Given that its callers only used
to know about ERR_ALERT | ERR_FATAL, this is the only code returned
for now. And a comment was updated.
This commit is contained in:
Emeric Brun 2019-10-17 13:25:14 +02:00 committed by Willy Tarreau
parent 054563de13
commit a96b582d0e
1 changed files with 29 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/ssl_sock.c
View File

@ -3053,24 +3053,29 @@ end:
} }
/* Loads the info in ckch into ctx /* Loads the info in ckch into ctx
* Currently, this does not process any information about ocsp, dhparams or * Returns a bitfield containing the flags:
* sctl * ERR_FATAL in any fatal error case
* Returns * ERR_ALERT if the reason of the error is available in err
* 0 on success * ERR_WARN if a warning is available into err
* 1 on failure * The value 0 means there is no error nor warning and
* the operation succeed.
*/ */
static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err) static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
{ {
int errcode = 0;
if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) { if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n", memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
return 1; errcode |= ERR_ALERT | ERR_FATAL;
return errcode;
} }
if (!SSL_CTX_use_certificate(ctx, ckch->cert)) { if (!SSL_CTX_use_certificate(ctx, ckch->cert)) {
memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n", memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
return 1; errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
@ -3078,7 +3083,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
if (!SSL_CTX_set1_chain(ctx, ckch->chain)) { if (!SSL_CTX_set1_chain(ctx, ckch->chain)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
return 1; errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
#else #else
{ /* legacy compat (< openssl 1.0.2) */ { /* legacy compat (< openssl 1.0.2) */
@ -3088,7 +3094,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n", memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
X509_free(ca); X509_free(ca);
return 1; errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
} }
#endif #endif
@ -3100,10 +3107,11 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL); SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
} }
if (ssl_sock_load_dh_params(ctx, ckch) < 0) { if (ssl_sock_load_dh_params(ctx, ckch, err) < 0) {
memprintf(err, "%sunable to load DH parameters from file '%s'.\n", memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
return 1; errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
#endif #endif
@ -3112,7 +3120,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) { if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
*err ? *err : "", path); *err ? *err : "", path);
return 1; errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
} }
#endif #endif
@ -3124,12 +3133,14 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
if (err) if (err)
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n", memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
*err ? *err : "", path); *err ? *err : "", path);
return 1; errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
} }
#endif #endif
return 0; end:
return errcode;
} }
#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
@ -3439,10 +3450,9 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c
if (i & (1<<n)) { if (i & (1<<n)) {
/* Key combo contains ckch[n] */ /* Key combo contains ckch[n] */
snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]); snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
if (ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err) != 0) { errcode |= ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err);
errcode |= ERR_ALERT | ERR_FATAL; if (errcode & ERR_CODE)
goto end; goto end;
}
} }
} }
@ -3569,10 +3579,9 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs,
goto error; goto error;
} }
if (ssl_sock_put_ckch_into_ctx(path, ckch, ctx, err) != 0) { errcode |= ssl_sock_put_ckch_into_ctx(path, ckch, ctx, err);
errcode |= ERR_ALERT | ERR_FATAL; if (errcode & ERR_CODE)
goto error; goto error;
}
ckch_inst = ckch_inst_new(); ckch_inst = ckch_inst_new();
if (!ckch_inst) { if (!ckch_inst) {