Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 394701dc80ac9d429b12d405973fb30c348b81f3^! / . / src / ssl_sock.c
commit394701dc80ac9d429b12d405973fb30c348b81f3[log] [tgz]
authorEmeric Brun <ebrun@haproxy.com>Thu Oct 17 13:25:14 2019 +0200
committerWilly Tarreau <w@1wt.eu>Fri Oct 18 18:27:15 2019 +0200
treec1f4dbeecae69b03256825e3ed124a917b293dea
parentb131c870f9fbb5553d8970bb039609f97e1cc6e6 [diff] [blame]
CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn

ssl_sock_put_ckch_into_ctx used to return 0 or >0 to indicate success
or failure. Make it return a set of ERR_* instead so that its callers
can transparently report its status. Given that its callers only used
to know about ERR_ALERT | ERR_FATAL, this is the only code returned
for now. And a comment was updated.

(cherry picked from commit a96b582d0eaf1a7a9b21c71b8eda2965f74699d4)
Signed-off-by: Emeric Brun <ebrun@haproxy.com>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 10f91a2..fbabc2d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3007,26 +3007,30 @@
 }
 
 /* Loads the info in ckch into ctx
- * Currently, this does not process any information about ocsp, dhparams or
- * sctl
- * Returns
- *     0 on success
- *     1 on failure
+ * Returns a bitfield containing the flags:
+ *     ERR_FATAL in any fatal error case
+ *     ERR_ALERT if the reason of the error is available in err
+ *     ERR_WARN if a warning is available into err
+ * The value 0 means there is no error nor warning and
+ * the operation succeed.
  */
 static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
 {
 	int i = 0;
+	int errcode = 0;
 
 	if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
 		memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
 				err && *err ? *err : "", path);
-		return 1;
+		errcode |= ERR_ALERT | ERR_FATAL;
+		return errcode;
 	}
 
 	if (!SSL_CTX_use_certificate(ctx, ckch->cert)) {
 		memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n",
 				err && *err ? *err : "", path);
-		return 1;
+		errcode |= ERR_ALERT | ERR_FATAL;
+		goto end;
 	}
 
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
@@ -3034,17 +3038,19 @@
 		if (!SSL_CTX_add1_chain_cert(ctx, ckch->chain_certs[i])) {
 			memprintf(err, "%sunable to load chain certificate #%d into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
 					err && *err ? *err : "", (i+1), path);
-			return 1;
+			errcode |= ERR_ALERT | ERR_FATAL;
+			goto end;
 		}
 	}
 
 	if (SSL_CTX_check_private_key(ctx) <= 0) {
 		memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
 				err && *err ? *err : "", path);
-		return 1;
+		errcode |= ERR_ALERT | ERR_FATAL;
 	}
 
-	return 0;
+ end:
+	return errcode;
 }
 
 
@@ -3252,9 +3258,9 @@
 				if (i & (1<<n)) {
 					/* Key combo contains ckch[n] */
 					snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
-					if (ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err) != 0) {
+					errcode |= ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err);
+					if (errcode & ERR_CODE) {
 						SSL_CTX_free(cur_ctx);
-						errcode |= ERR_ALERT | ERR_FATAL;
 						goto end;
 					}