From: Timo Sirainen Date: Thu, 3 Dec 2015 10:02:56 +0000 (+0200) Subject: login, lib-ssl-iostream: Deduplicate code with shared openssl_iostream_use_certificat... X-Git-Tag: 2.2.20.rc1~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8b5d186ec2f8b56ded72a7f45a70b7542caad9d0;p=thirdparty%2Fdovecot%2Fcore.git login, lib-ssl-iostream: Deduplicate code with shared openssl_iostream_use_certificate_error() --- diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 2313de39ed..96b6e7b916 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -174,7 +174,8 @@ static bool is_pem_key(const char *cert) return strstr(cert, "PRIVATE KEY---") != NULL; } -const char *ssl_iostream_get_use_certificate_error(const char *cert) +const char * +openssl_iostream_use_certificate_error(const char *cert, const char *set_name) { unsigned long err; @@ -185,8 +186,11 @@ const char *ssl_iostream_get_use_certificate_error(const char *cert) else if (is_pem_key(cert)) { return "The file contains a private key " "(you've mixed ssl_cert and ssl_key settings)"; + } else if (set_name != NULL && strchr(cert, '\n') == NULL) { + return t_strdup_printf("There is no valid PEM certificate. " + "(You probably forgot '<' from %s=<%s)", set_name, cert); } else { - return "There is no certificate."; + return "There is no valid PEM certificate."; } } @@ -398,7 +402,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, if (set->cert != NULL && ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert) == 0) { *error_r = t_strdup_printf("Can't load SSL certificate: %s", - ssl_iostream_get_use_certificate_error(set->cert)); + openssl_iostream_use_certificate_error(set->cert, NULL)); return -1; } if (set->key != NULL) { diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 5bad303e81..e9c403ec86 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -71,7 +71,7 @@ openssl_iostream_use_certificate(struct ssl_iostream *ssl_io, const char *cert, if (ret == 0) { *error_r = t_strdup_printf("Can't load ssl_cert: %s", - ssl_iostream_get_use_certificate_error(cert)); + openssl_iostream_use_certificate_error(cert, NULL)); return -1; } return 0; diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h index fac2880c88..eb8e8104bd 100644 --- a/src/lib-ssl-iostream/iostream-openssl.h +++ b/src/lib-ssl-iostream/iostream-openssl.h @@ -68,7 +68,6 @@ void openssl_iostream_global_deinit(void); int openssl_iostream_load_key(const struct ssl_iostream_settings *set, EVP_PKEY **pkey_r, const char **error_r); -const char *ssl_iostream_get_use_certificate_error(const char *cert); int openssl_cert_match_name(SSL *ssl, const char *verify_name); int openssl_get_protocol_options(const char *protocols); #define OPENSSL_ALL_PROTOCOL_OPTIONS \ @@ -92,6 +91,8 @@ int openssl_iostream_handle_write_error(struct ssl_iostream *ssl_io, int ret, const char *openssl_iostream_error(void); const char *openssl_iostream_key_load_error(void); +const char * +openssl_iostream_use_certificate_error(const char *cert, const char *set_name); int openssl_iostream_generate_params(buffer_t *output, unsigned int dh_length, const char **error_r); diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c index ee78eddbf1..f4983addc3 100644 --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -935,11 +935,6 @@ unsigned int ssl_proxy_get_count(void) return ssl_proxy_count; } -static bool is_pem_key(const char *cert) -{ - return strstr(cert, "PRIVATE KEY---") != NULL; -} - static void load_ca(X509_STORE *store, const char *ca, STACK_OF(X509_NAME) **xnames_r) { @@ -1080,25 +1075,6 @@ ssl_proxy_ctx_verify_client(SSL_CTX *ssl_ctx, STACK_OF(X509_NAME) *ca_names) SSL_CTX_set_client_CA_list(ssl_ctx, ca_names); } -static const char *ssl_proxy_get_use_certificate_error(const char *cert) -{ - unsigned long err; - - err = ERR_peek_error(); - if (ERR_GET_LIB(err) != ERR_LIB_PEM || - ERR_GET_REASON(err) != PEM_R_NO_START_LINE) - return openssl_iostream_error(); - else if (is_pem_key(cert)) { - return "The file contains a private key " - "(you've mixed ssl_cert and ssl_key settings)"; - } else if (strchr(cert, '\n') == NULL) { - return t_strdup_printf("There is no valid PEM certificate. " - "(You probably forgot '<' from ssl_cert=<%s)", cert); - } else { - return "There is no valid PEM certificate."; - } -} - static EVP_PKEY * ATTR_NULL(2) ssl_proxy_load_key(const char *key, const char *password) { @@ -1277,7 +1253,7 @@ ssl_server_context_init(const struct login_settings *login_set, if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) { i_fatal("Can't load ssl_cert: %s", - ssl_proxy_get_use_certificate_error(ctx->cert)); + openssl_iostream_use_certificate_error(ctx->cert, "ssl_cert")); } #ifdef HAVE_SSL_GET_SERVERNAME @@ -1317,7 +1293,8 @@ ssl_proxy_client_ctx_set_client_cert(SSL_CTX *ctx, if (ssl_proxy_ctx_use_certificate_chain(ctx, set->ssl_client_cert) != 1) { i_fatal("Can't load ssl_client_cert: %s", - ssl_proxy_get_use_certificate_error(set->ssl_client_cert)); + openssl_iostream_use_certificate_error( + set->ssl_client_cert, "ssl_client_cert")); } pkey = ssl_proxy_load_key(set->ssl_client_key, NULL);