dovecot-2.2: login, lib-ssl-iostream: Deduplicate code with shar...

Thu Dec 3 10:03:27 UTC 2015

details:   http://hg.dovecot.org/dovecot-2.2/rev/dbbfa124b27d
changeset: 19447:dbbfa124b27d
user:      Timo Sirainen <tss at iki.fi>
date:      Thu Dec 03 12:02:56 2015 +0200
description:
login, lib-ssl-iostream: Deduplicate code with shared openssl_iostream_use_certificate_error()

diffstat:

 src/lib-ssl-iostream/iostream-openssl-context.c |  10 ++++++--
 src/lib-ssl-iostream/iostream-openssl.c         |   2 +-
 src/lib-ssl-iostream/iostream-openssl.h         |   3 +-
 src/login-common/ssl-proxy-openssl.c            |  29 ++----------------------
 4 files changed, 13 insertions(+), 31 deletions(-)

diffs (127 lines):

diff -r 77990d0b1a42 -r dbbfa124b27d src/lib-ssl-iostream/iostream-openssl-context.c

--- a/src/lib-ssl-iostream/iostream-openssl-context.c	Thu Dec 03 11:58:11 2015 +0200
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c	Thu Dec 03 12:02:56 2015 +0200
@@ -174,7 +174,8 @@
 	return strstr(cert, "PRIVATE KEY---") != NULL;
 }
 
-const char *ssl_iostream_get_use_certificate_error(const char *cert)
+const char *
+openssl_iostream_use_certificate_error(const char *cert, const char *set_name)
 {
 	unsigned long err;
 
@@ -185,8 +186,11 @@
 	else if (is_pem_key(cert)) {
 		return "The file contains a private key "
 			"(you've mixed ssl_cert and ssl_key settings)";
+	} else if (set_name != NULL && strchr(cert, '\n') == NULL) {
+		return t_strdup_printf("There is no valid PEM certificate. "
+			"(You probably forgot '<' from %s=<%s)", set_name, cert);
 	} else {
-		return "There is no certificate.";
+		return "There is no valid PEM certificate.";
 	}
 }
 
@@ -398,7 +402,7 @@
 	if (set->cert != NULL &&
 	    ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert) == 0) {
 		*error_r = t_strdup_printf("Can't load SSL certificate: %s",
-			ssl_iostream_get_use_certificate_error(set->cert));
+			openssl_iostream_use_certificate_error(set->cert, NULL));
 		return -1;
 	}
 	if (set->key != NULL) {
diff -r 77990d0b1a42 -r dbbfa124b27d src/lib-ssl-iostream/iostream-openssl.c
--- a/src/lib-ssl-iostream/iostream-openssl.c	Thu Dec 03 11:58:11 2015 +0200
+++ b/src/lib-ssl-iostream/iostream-openssl.c	Thu Dec 03 12:02:56 2015 +0200
@@ -71,7 +71,7 @@
 
 	if (ret == 0) {
 		*error_r = t_strdup_printf("Can't load ssl_cert: %s",
-			ssl_iostream_get_use_certificate_error(cert));
+			openssl_iostream_use_certificate_error(cert, NULL));
 		return -1;
 	}
 	return 0;
diff -r 77990d0b1a42 -r dbbfa124b27d src/lib-ssl-iostream/iostream-openssl.h
--- a/src/lib-ssl-iostream/iostream-openssl.h	Thu Dec 03 11:58:11 2015 +0200
+++ b/src/lib-ssl-iostream/iostream-openssl.h	Thu Dec 03 12:02:56 2015 +0200
@@ -68,7 +68,6 @@
 
 int openssl_iostream_load_key(const struct ssl_iostream_settings *set,
 			      EVP_PKEY **pkey_r, const char **error_r);
-const char *ssl_iostream_get_use_certificate_error(const char *cert);
 int openssl_cert_match_name(SSL *ssl, const char *verify_name);
 int openssl_get_protocol_options(const char *protocols);
 #define OPENSSL_ALL_PROTOCOL_OPTIONS \
@@ -92,6 +91,8 @@
 
 const char *openssl_iostream_error(void);
 const char *openssl_iostream_key_load_error(void);
+const char *
+openssl_iostream_use_certificate_error(const char *cert, const char *set_name);
 
 int openssl_iostream_generate_params(buffer_t *output, unsigned int dh_length,
 				     const char **error_r);
diff -r 77990d0b1a42 -r dbbfa124b27d src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Thu Dec 03 11:58:11 2015 +0200
+++ b/src/login-common/ssl-proxy-openssl.c	Thu Dec 03 12:02:56 2015 +0200
@@ -935,11 +935,6 @@
 	return ssl_proxy_count;
 }
 
-static bool is_pem_key(const char *cert)
-{
-	return strstr(cert, "PRIVATE KEY---") != NULL;
-}
-
 static void load_ca(X509_STORE *store, const char *ca,
 		    STACK_OF(X509_NAME) **xnames_r)
 {
@@ -1080,25 +1075,6 @@
 	SSL_CTX_set_client_CA_list(ssl_ctx, ca_names);
 }
 
-static const char *ssl_proxy_get_use_certificate_error(const char *cert)
-{
-	unsigned long err;
-
-	err = ERR_peek_error();
-	if (ERR_GET_LIB(err) != ERR_LIB_PEM ||
-	    ERR_GET_REASON(err) != PEM_R_NO_START_LINE)
-		return openssl_iostream_error();
-	else if (is_pem_key(cert)) {
-		return "The file contains a private key "
-			"(you've mixed ssl_cert and ssl_key settings)";
-	} else if (strchr(cert, '\n') == NULL) {
-		return t_strdup_printf("There is no valid PEM certificate. "
-			"(You probably forgot '<' from ssl_cert=<%s)", cert);
-	} else {
-		return "There is no valid PEM certificate.";
-	}
-}
-
 static EVP_PKEY * ATTR_NULL(2)
 ssl_proxy_load_key(const char *key, const char *password)
 {
@@ -1277,7 +1253,7 @@
 
 	if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) {
 		i_fatal("Can't load ssl_cert: %s",
-			ssl_proxy_get_use_certificate_error(ctx->cert));
+			openssl_iostream_use_certificate_error(ctx->cert, "ssl_cert"));
 	}
 
 #ifdef HAVE_SSL_GET_SERVERNAME
@@ -1317,7 +1293,8 @@
 
 	if (ssl_proxy_ctx_use_certificate_chain(ctx, set->ssl_client_cert) != 1) {
 		i_fatal("Can't load ssl_client_cert: %s",
-			ssl_proxy_get_use_certificate_error(set->ssl_client_cert));
+			openssl_iostream_use_certificate_error(
+				set->ssl_client_cert, "ssl_client_cert"));
 	}
 
 	pkey = ssl_proxy_load_key(set->ssl_client_key, NULL);
