From 6f3b48e4eb7538ba2974730b1c09d752278ec93a Mon Sep 17 00:00:00 2001 From: Přemysl Janouch Date: Wed, 15 Jul 2015 23:34:36 +0200 Subject: SSL -> TLS; fix error handling --- degesch.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) (limited to 'degesch.c') diff --git a/degesch.c b/degesch.c index 615ebb7..5a5110f 100644 --- a/degesch.c +++ b/degesch.c @@ -1067,7 +1067,7 @@ enum transport_io_result TRANSPORT_IO_ERROR ///< Connection error }; -// The only real purpose of this is to abstract away TLS/SSL +// The only real purpose of this is to abstract away TLS struct transport { /// Initialize the transport @@ -1530,11 +1530,11 @@ static struct config_schema g_config_server[] = .validate = config_validate_nonjunk_string }, { .name = "ssl", - .comment = "Whether to use SSL/TLS", + .comment = "Whether to use TLS", .type = CONFIG_ITEM_BOOLEAN, .default_ = "off" }, { .name = "ssl_cert", - .comment = "Client SSL certificate (PEM)", + .comment = "Client TLS certificate (PEM)", .type = CONFIG_ITEM_STRING }, { .name = "ssl_verify", .comment = "Whether to verify certificates", @@ -3866,12 +3866,12 @@ static struct transport g_transport_plain = .get_poll_events = transport_plain_get_poll_events, }; -// --- SSL/TLS transport ------------------------------------------------------- +// --- TLS transport ----------------------------------------------------------- struct transport_tls_data { SSL_CTX *ssl_ctx; ///< SSL context - SSL *ssl; ///< SSL/TLS connection + SSL *ssl; ///< SSL connection bool ssl_rx_want_tx; ///< SSL_read() wants to write bool ssl_tx_want_rx; ///< SSL_write() wants to read }; @@ -3931,6 +3931,8 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) const char *ca_file = get_config_string (s->config, "ssl_ca_file"); const char *ca_path = get_config_string (s->config, "ssl_ca_path"); + ERR_clear_error (); + struct error *error = NULL; if (ca_file || ca_path) { @@ -3972,6 +3974,8 @@ transport_tls_init_cert (struct server *s, SSL *ssl, struct error **e) if (!ssl_cert) return true; + ERR_clear_error (); + bool result = false; char *path = resolve_filename (ssl_cert, resolve_relative_config_filename); if (!path) @@ -3990,18 +3994,19 @@ transport_tls_init_cert (struct server *s, SSL *ssl, struct error **e) static bool transport_tls_init (struct server *s, struct error **e) { - const char *error_info = NULL; + ERR_clear_error (); + + struct error *error = NULL; SSL_CTX *ssl_ctx = SSL_CTX_new (SSLv23_client_method ()); if (!ssl_ctx) goto error_ssl_1; - if (!transport_tls_init_ctx (s, ssl_ctx, e)) + if (!transport_tls_init_ctx (s, ssl_ctx, &error)) goto error_ssl_2; SSL *ssl = SSL_new (ssl_ctx); if (!ssl) goto error_ssl_2; - struct error *error = NULL; if (!transport_tls_init_cert (s, ssl, &error)) { // XXX: is this a reason to abort the connection? @@ -4028,9 +4033,11 @@ error_ssl_3: error_ssl_2: SSL_CTX_free (ssl_ctx); error_ssl_1: - if (!error_info) - error_info = ERR_reason_error_string (ERR_get_error ()); - error_set (e, "%s: %s", "could not initialize SSL/TLS", error_info); + if (!error) + error_set (&error, "%s: %s", "Could not initialize TLS", + ERR_reason_error_string (ERR_get_error ())); + + error_propagate (e, error); return false; } -- cgit v1.2.3-54-g00ecf