static int libssl_get_last_key_type(SSL_CTX& ctx)
{
#ifdef HAVE_SSL_CTX_GET0_PRIVATEKEY
- auto pkey = SSL_CTX_get0_privatekey(&ctx);
+ auto* pkey = SSL_CTX_get0_privatekey(&ctx);
#else
auto temp = std::unique_ptr<SSL, void(*)(SSL*)>(SSL_new(&ctx), SSL_free);
if (!temp) {
if (ASN1_STRING_to_UTF8(&str, name->d.dNSName) < 0) {
continue;
}
+ // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): OpenSSL's API
result.emplace(reinterpret_cast<const char*>(str));
OPENSSL_free(str);
}
auto* name = X509_get_subject_name(certificate);
if (name != nullptr) {
- ssize_t idx = -1;
+ int idx = -1;
while ((idx = X509_NAME_get_index_by_NID(name, NID_commonName, idx)) != -1) {
const auto* entry = X509_NAME_get_entry(name, idx);
const auto* value = X509_NAME_ENTRY_get_data(entry);
if (ASN1_STRING_to_UTF8(&str, value) < 0) {
continue;
}
+ // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): OpenSSL's API
result.emplace(reinterpret_cast<const char*>(str));
OPENSSL_free(str);
}
#endif
SSL_CTX_set_options(ctx.get(), sslOptions);
- if (!libssl_set_min_tls_version(*ctx.get(), config.d_minTLSVersion)) {
+ if (!libssl_set_min_tls_version(*ctx, config.d_minTLSVersion)) {
throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(config.d_minTLSVersion));
}
throw std::runtime_error("The key from '" + pair.d_key.value() + "' does not match the certificate from '" + pair.d_cert + "'");
}
/* store the type of the new key, we might need it later to select the right OCSP stapling response */
- auto keyType = libssl_get_last_key_type(*ctx.get());
+ auto keyType = libssl_get_last_key_type(*ctx);
if (keyType < 0) {
throw std::runtime_error("The key from '" + pair.d_key.value() + "' has an unknown type");
}
EVP_PKEY *keyptr = nullptr;
X509 *certptr = nullptr;
STACK_OF(X509) *captr = nullptr;
- if (!PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr)) {
+ if (PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr) != 1) {
#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
bool failed = true;
/* we might be opening a PKCS12 file that uses RC2 CBC or 3DES CBC which, since OpenSSL 3.0.0, requires loading the legacy provider */
- auto libCtx = OSSL_LIB_CTX_get0_global_default();
+ auto* libCtx = OSSL_LIB_CTX_get0_global_default();
/* check whether the legacy provider is already loaded */
- if (!OSSL_PROVIDER_available(libCtx, "legacy")) {
+ if (OSSL_PROVIDER_available(libCtx, "legacy") == 0) {
/* it's not */
- auto provider = OSSL_PROVIDER_load(libCtx, "legacy");
+ auto* provider = OSSL_PROVIDER_load(libCtx, "legacy");
if (provider != nullptr) {
- if (PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr)) {
+ if (PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr) == 1) {
failed = false;
}
/* we do not want to keep that provider around after that */
}
auto key = std::unique_ptr<EVP_PKEY, void(*)(EVP_PKEY*)>(keyptr, EVP_PKEY_free);
auto cert = std::unique_ptr<X509, void(*)(X509*)>(certptr, X509_free);
- auto ca = std::unique_ptr<STACK_OF(X509), void(*)(STACK_OF(X509)*)>(captr, [](STACK_OF(X509)* st){ sk_X509_free(st); });
+ auto caList = std::unique_ptr<STACK_OF(X509), void(*)(STACK_OF(X509)*)>(captr, [](STACK_OF(X509)* stack){ sk_X509_free(stack); });
- auto addCertificateAndKey = [&pair, &key, &cert, &ca](std::shared_ptr<SSL_CTX>& tlsContext) {
- if (SSL_CTX_use_cert_and_key(tlsContext.get(), cert.get(), key.get(), ca.get(), 1) != 1) {
+ auto addCertificateAndKey = [&pair, &key, &cert, &caList](std::shared_ptr<SSL_CTX>& tlsContext) {
+ if (SSL_CTX_use_cert_and_key(tlsContext.get(), cert.get(), key.get(), caList.get(), 1) != 1) {
ERR_print_errors_fp(stderr);
throw std::runtime_error("An error occurred while trying to load the TLS certificate and key from PKCS12 file " + pair.d_cert);
}
throw std::runtime_error("The key from '" + pair.d_key.value() + "' does not match the certificate from '" + pair.d_cert + "'");
}
/* store the type of the new key, we might need it later to select the right OCSP stapling response */
- auto keyType = libssl_get_last_key_type(*ctx.get());
+ auto keyType = libssl_get_last_key_type(*ctx);
if (keyType < 0) {
throw std::runtime_error("The key from '" + pair.d_key.value() + "' has an unknown type");
}
for (const auto& warning : warnings) {
warnlog("%s", warning);
}
+ // NOLINTNEXTLINE(cppcoreguidelines-prefer-member-initializer): it cannot be initialized before calling libssl_init_server_context()
d_ocspResponses = std::move(ctx.d_ocspResponses);
+ // NOLINTNEXTLINE(cppcoreguidelines-prefer-member-initializer): it cannot be initialized before calling libssl_init_server_context()
d_tlsCtx = std::move(ctx.d_defaultContext);
+ // NOLINTNEXTLINE(cppcoreguidelines-prefer-member-initializer): it cannot be initialized before calling libssl_init_server_context()
d_sniMap = std::move(ctx.d_sniMap);
for (auto& entry : d_sniMap) {
SSL_CTX_set_tlsext_servername_callback(entry.second.get(), &sni_server_name_callback);
if (serverName == nullptr) {
return SSL_TLSEXT_ERR_NOACK;
}
+ // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): OpenSSL's API
auto* frontendCtx = reinterpret_cast<OpenSSLFrontendContext*>(libssl_get_ticket_key_callback_data(ssl));
if (frontendCtx == nullptr) {
return SSL_TLSEXT_ERR_OK;
auto serverNameView = std::string_view(serverName);
- auto it = frontendCtx->d_sniMap.find(serverNameView);
- if (it == frontendCtx->d_sniMap.end()) {
+ auto mapIt = frontendCtx->d_sniMap.find(serverNameView);
+ if (mapIt == frontendCtx->d_sniMap.end()) {
/* keep the default certificate */
return SSL_TLSEXT_ERR_OK;
}
/* if it fails there is nothing we can do,
let's hope OpenSSL will fallback to the existing,
default certificate*/
- SSL_set_SSL_CTX(ssl, it->second.get());
+ SSL_set_SSL_CTX(ssl, mapIt->second.get());
return SSL_TLSEXT_ERR_OK;
}
projects / thirdparty / pdns.git / commitdiff
