From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 20 Apr 2020 16:27:00 +0000 (+0300)
Subject: lib-ssl-iostream: Include setting name in all key parsing errors
X-Git-Tag: 2.3.11.2~191
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=934a5e7cdb3105a07e2b1dec5916f4abfb3ee2a1;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Include setting name in all key parsing errors
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 225c584cf7..0ab595b3d7 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -74,6 +74,7 @@ pem_password_callback(char *buf, int size, int rwflag ATTR_UNUSED,
 }
 
 int openssl_iostream_load_key(const struct ssl_iostream_cert *set,
+			      const char *set_name,
 			      EVP_PKEY **pkey_r, const char **error_r)
 {
 	struct ssl_iostream_password_context ctx;
@@ -95,8 +96,9 @@ int openssl_iostream_load_key(const struct ssl_iostream_cert *set,
 
 	pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback, &ctx);
 	if (pkey == NULL && ctx.error == NULL) {
-		ctx.error = t_strdup_printf("Couldn't parse private SSL key: %s",
-					    openssl_iostream_error());
+		ctx.error = t_strdup_printf(
+			"Couldn't parse private SSL key (%s setting): %s",
+			set_name, openssl_iostream_error());
 	}
 	BIO_free(bio);
 
@@ -143,7 +145,7 @@ ssl_iostream_ctx_use_key(struct ssl_iostream_context *ctx, const char *set_name,
 	EVP_PKEY *pkey;
 	int ret = 0;
 
-	if (openssl_iostream_load_key(set, &pkey, error_r) < 0)
+	if (openssl_iostream_load_key(set, set_name, &pkey, error_r) < 0)
 		return -1;
 	if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) == 0) {
 		*error_r = t_strdup_printf(
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index ad605712a0..96fcba848a 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -91,18 +91,19 @@ openssl_iostream_use_certificate(struct ssl_iostream *ssl_io, const char *cert,
 }
 
 static int
-openssl_iostream_use_key(struct ssl_iostream *ssl_io,
+openssl_iostream_use_key(struct ssl_iostream *ssl_io, const char *set_name,
 			 const struct ssl_iostream_cert *set,
 			 const char **error_r)
 {
 	EVP_PKEY *pkey;
 	int ret = 0;
 
-	if (openssl_iostream_load_key(set, &pkey, error_r) < 0)
+	if (openssl_iostream_load_key(set, set_name, &pkey, error_r) < 0)
 		return -1;
 	if (SSL_use_PrivateKey(ssl_io->ssl, pkey) != 1) {
-		*error_r = t_strdup_printf("Can't load SSL private key: %s",
-					   openssl_iostream_key_load_error());
+		*error_r = t_strdup_printf(
+			"Can't load SSL private key (%s setting): %s",
+			set_name, openssl_iostream_key_load_error());
 		ret = -1;
 	}
 	EVP_PKEY_free(pkey);
@@ -219,7 +220,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
 			return -1;
 	}
 	if (set->cert.key != NULL && strcmp(ctx_set->cert.key, set->cert.key) != 0) {
-		if (openssl_iostream_use_key(ssl_io, &set->cert, error_r) < 0)
+		if (openssl_iostream_use_key(ssl_io, "ssl_key", &set->cert, error_r) < 0)
 			return -1;
 	}
 	if (set->alt_cert.cert != NULL && strcmp(ctx_set->alt_cert.cert, set->alt_cert.cert) != 0) {
@@ -227,7 +228,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
 			return -1;
 	}
 	if (set->alt_cert.key != NULL && strcmp(ctx_set->alt_cert.key, set->alt_cert.key) != 0) {
-		if (openssl_iostream_use_key(ssl_io, &set->alt_cert, error_r) < 0)
+		if (openssl_iostream_use_key(ssl_io, "ssl_alt_key", &set->alt_cert, error_r) < 0)
 			return -1;
 	}
 	if (set->verify_remote_cert) {
diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h
index 9814eb801d..11ed286453 100644
--- a/src/lib-ssl-iostream/iostream-openssl.h
+++ b/src/lib-ssl-iostream/iostream-openssl.h
@@ -87,6 +87,7 @@ void openssl_iostream_context_unref(struct ssl_iostream_context *ctx);
 void openssl_iostream_global_deinit(void);
 
 int openssl_iostream_load_key(const struct ssl_iostream_cert *set,
+			      const char *set_name,
 			      EVP_PKEY **pkey_r, const char **error_r);
 bool openssl_cert_match_name(SSL *ssl, const char *verify_name,
 			     const char **reason_r);