Mercurial > dovecot > core-2.2
changeset 19447:dbbfa124b27d
login, lib-ssl-iostream: Deduplicate code with shared openssl_iostream_use_certificate_error()
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 03 Dec 2015 12:02:56 +0200 |
parents | 77990d0b1a42 |
children | a0df8b106de1 |
files | src/lib-ssl-iostream/iostream-openssl-context.c src/lib-ssl-iostream/iostream-openssl.c src/lib-ssl-iostream/iostream-openssl.h src/login-common/ssl-proxy-openssl.c |
diffstat | 4 files changed, 13 insertions(+), 31 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-ssl-iostream/iostream-openssl-context.c Thu Dec 03 11:58:11 2015 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl-context.c Thu Dec 03 12:02:56 2015 +0200 @@ -174,7 +174,8 @@ return strstr(cert, "PRIVATE KEY---") != NULL; } -const char *ssl_iostream_get_use_certificate_error(const char *cert) +const char * +openssl_iostream_use_certificate_error(const char *cert, const char *set_name) { unsigned long err; @@ -185,8 +186,11 @@ else if (is_pem_key(cert)) { return "The file contains a private key " "(you've mixed ssl_cert and ssl_key settings)"; + } else if (set_name != NULL && strchr(cert, '\n') == NULL) { + return t_strdup_printf("There is no valid PEM certificate. " + "(You probably forgot '<' from %s=<%s)", set_name, cert); } else { - return "There is no certificate."; + return "There is no valid PEM certificate."; } } @@ -398,7 +402,7 @@ if (set->cert != NULL && ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert) == 0) { *error_r = t_strdup_printf("Can't load SSL certificate: %s", - ssl_iostream_get_use_certificate_error(set->cert)); + openssl_iostream_use_certificate_error(set->cert, NULL)); return -1; } if (set->key != NULL) {
--- a/src/lib-ssl-iostream/iostream-openssl.c Thu Dec 03 11:58:11 2015 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl.c Thu Dec 03 12:02:56 2015 +0200 @@ -71,7 +71,7 @@ if (ret == 0) { *error_r = t_strdup_printf("Can't load ssl_cert: %s", - ssl_iostream_get_use_certificate_error(cert)); + openssl_iostream_use_certificate_error(cert, NULL)); return -1; } return 0;
--- a/src/lib-ssl-iostream/iostream-openssl.h Thu Dec 03 11:58:11 2015 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl.h Thu Dec 03 12:02:56 2015 +0200 @@ -68,7 +68,6 @@ int openssl_iostream_load_key(const struct ssl_iostream_settings *set, EVP_PKEY **pkey_r, const char **error_r); -const char *ssl_iostream_get_use_certificate_error(const char *cert); int openssl_cert_match_name(SSL *ssl, const char *verify_name); int openssl_get_protocol_options(const char *protocols); #define OPENSSL_ALL_PROTOCOL_OPTIONS \ @@ -92,6 +91,8 @@ const char *openssl_iostream_error(void); const char *openssl_iostream_key_load_error(void); +const char * +openssl_iostream_use_certificate_error(const char *cert, const char *set_name); int openssl_iostream_generate_params(buffer_t *output, unsigned int dh_length, const char **error_r);
--- a/src/login-common/ssl-proxy-openssl.c Thu Dec 03 11:58:11 2015 +0200 +++ b/src/login-common/ssl-proxy-openssl.c Thu Dec 03 12:02:56 2015 +0200 @@ -935,11 +935,6 @@ return ssl_proxy_count; } -static bool is_pem_key(const char *cert) -{ - return strstr(cert, "PRIVATE KEY---") != NULL; -} - static void load_ca(X509_STORE *store, const char *ca, STACK_OF(X509_NAME) **xnames_r) { @@ -1080,25 +1075,6 @@ SSL_CTX_set_client_CA_list(ssl_ctx, ca_names); } -static const char *ssl_proxy_get_use_certificate_error(const char *cert) -{ - unsigned long err; - - err = ERR_peek_error(); - if (ERR_GET_LIB(err) != ERR_LIB_PEM || - ERR_GET_REASON(err) != PEM_R_NO_START_LINE) - return openssl_iostream_error(); - else if (is_pem_key(cert)) { - return "The file contains a private key " - "(you've mixed ssl_cert and ssl_key settings)"; - } else if (strchr(cert, '\n') == NULL) { - return t_strdup_printf("There is no valid PEM certificate. " - "(You probably forgot '<' from ssl_cert=<%s)", cert); - } else { - return "There is no valid PEM certificate."; - } -} - static EVP_PKEY * ATTR_NULL(2) ssl_proxy_load_key(const char *key, const char *password) { @@ -1277,7 +1253,7 @@ if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) { i_fatal("Can't load ssl_cert: %s", - ssl_proxy_get_use_certificate_error(ctx->cert)); + openssl_iostream_use_certificate_error(ctx->cert, "ssl_cert")); } #ifdef HAVE_SSL_GET_SERVERNAME @@ -1317,7 +1293,8 @@ if (ssl_proxy_ctx_use_certificate_chain(ctx, set->ssl_client_cert) != 1) { i_fatal("Can't load ssl_client_cert: %s", - ssl_proxy_get_use_certificate_error(set->ssl_client_cert)); + openssl_iostream_use_certificate_error( + set->ssl_client_cert, "ssl_client_cert")); } pkey = ssl_proxy_load_key(set->ssl_client_key, NULL);