From: William Lallemand <wlallemand@haproxy.org>
Date: Tue, 19 Jul 2022 16:03:16 +0000 (+0200)
Subject: MINOR: ssl: enhance ca-file error emitting
X-Git-Tag: v2.7-dev3~77
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f17ab2fdd83ff4f58151a44a8fe1bc22e5b9c18;p=thirdparty%2Fhaproxy.git

MINOR: ssl: enhance ca-file error emitting

Enhance the errors and warnings when trying to load a ca-file with
ssl_store_load_locations_file().

Add errors from ERR_get_error() and strerror to give more information to
the user.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index b0bd7bd39d..0992240e22 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1152,6 +1152,11 @@ int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf)
 	return retval;
 }
 
+/*
+ * Try to load a ca-file from disk into the ca-file cache.
+ *
+ *  Return 0 upon error
+ */
 int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
 {
 	X509_STORE *store = ssl_store_get0_locations_file(path);
@@ -1166,16 +1171,27 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 		struct cafile_entry *ca_e;
 		const char *file = NULL;
 		const char *dir = NULL;
+		unsigned long e;
 
 		store = X509_STORE_new();
+		if (!store) {
+			ha_alert("Cannot allocate memory!");
+			goto err;
+		}
 
 		if (strcmp(path, "@system-ca") == 0) {
 			dir = X509_get_default_cert_dir();
+			if (!dir) {
+				ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().");
+				goto err;
+			}
 
 		} else {
 
-			if (stat(path, &buf))
+			if (stat(path, &buf) == -1) {
+				ha_alert("Couldn't open the ca-file '%s' (%s).", path, strerror(errno));
 				goto err;
+			}
 
 			if (S_ISDIR(buf.st_mode))
 				dir = path;
@@ -1185,6 +1201,8 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 
 		if (file) {
 			if (!X509_STORE_load_locations(store, file, NULL)) {
+				e = ERR_get_error();
+				ha_alert("Couldn't open the ca-file '%s' (%s).", path, ERR_reason_error_string(e));
 				goto err;
 			}
 		} else if (dir) {
@@ -1244,10 +1262,12 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 				continue;
 
 scandir_err:
+				e = ERR_get_error();
 				X509_free(ca);
 				BIO_free(in);
 				free(de);
-				ha_warning("ca-file: '%s' couldn't load '%s'\n", path, trash.area);
+				/* warn if it can load one of the files, but don't abort */
+				ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));
 
 			}
 			free(de_list);
@@ -1258,12 +1278,14 @@ scandir_err:
 
 		objs = X509_STORE_get0_objects(store);
 		cert_count = sk_X509_OBJECT_num(objs);
-		if (cert_count == 0)
+		if (cert_count == 0) {
 			ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
-
+		}
 		ca_e = ssl_store_create_cafile_entry(path, store, type);
-		if (!ca_e)
+		if (!ca_e) {
+			ha_alert("Cannot allocate memory!\n");
 			goto err;
+		}
 		ebst_insert(&cafile_tree, &ca_e->node);
 	}
 	return (store != NULL);