From a96b582d0eaf1a7a9b21c71b8eda2965f74699d4 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Thu, 17 Oct 2019 13:25:14 +0200 Subject: [PATCH] CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn ssl_sock_put_ckch_into_ctx used to return 0 or >0 to indicate success or failure. Make it return a set of ERR_* instead so that its callers can transparently report its status. Given that its callers only used to know about ERR_ALERT | ERR_FATAL, this is the only code returned for now. And a comment was updated. --- src/ssl_sock.c | 49 +++++++++++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index fbc3e8e92..59191f277 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3053,24 +3053,29 @@ end: } /* Loads the info in ckch into ctx - * Currently, this does not process any information about ocsp, dhparams or - * sctl - * Returns - * 0 on success - * 1 on failure + * Returns a bitfield containing the flags: + * ERR_FATAL in any fatal error case + * ERR_ALERT if the reason of the error is available in err + * ERR_WARN if a warning is available into err + * The value 0 means there is no error nor warning and + * the operation succeed. */ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err) { + int errcode = 0; + if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) { memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n", err && *err ? *err : "", path); - return 1; + errcode |= ERR_ALERT | ERR_FATAL; + return errcode; } if (!SSL_CTX_use_certificate(ctx, ckch->cert)) { memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n", err && *err ? *err : "", path); - return 1; + errcode |= ERR_ALERT | ERR_FATAL; + goto end; } /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ @@ -3078,7 +3083,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an if (!SSL_CTX_set1_chain(ctx, ckch->chain)) { memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", err && *err ? *err : "", path); - return 1; + errcode |= ERR_ALERT | ERR_FATAL; + goto end; } #else { /* legacy compat (< openssl 1.0.2) */ @@ -3088,7 +3094,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n", err && *err ? *err : "", path); X509_free(ca); - return 1; + errcode |= ERR_ALERT | ERR_FATAL; + goto end; } } #endif @@ -3100,10 +3107,11 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL); } - if (ssl_sock_load_dh_params(ctx, ckch) < 0) { + if (ssl_sock_load_dh_params(ctx, ckch, err) < 0) { memprintf(err, "%sunable to load DH parameters from file '%s'.\n", err && *err ? *err : "", path); - return 1; + errcode |= ERR_ALERT | ERR_FATAL; + goto end; } #endif @@ -3112,7 +3120,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) { memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", *err ? *err : "", path); - return 1; + errcode |= ERR_ALERT | ERR_FATAL; + goto end; } } #endif @@ -3124,12 +3133,14 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an if (err) memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n", *err ? *err : "", path); - return 1; + errcode |= ERR_ALERT | ERR_FATAL; + goto end; } } #endif - return 0; + end: + return errcode; } #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL @@ -3439,10 +3450,9 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c if (i & (1<