issuer = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
if (!issuer) {
memprintf(err, "%s'%s' cannot be read or parsed'.\n",
- *err ? *err : "", path);
+ err && *err ? *err : "", path);
goto end;
}
ret = 0;
if (stat(fp, &st) == 0) {
if (ssl_sock_load_sctl_from_file(fp, NULL, ckch, err)) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
- *err ? *err : "", fp);
+ err && *err ? *err : "", fp);
ret = 1;
goto end;
}
if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) {
memprintf(err, "%s '%s' is not an issuer'.\n",
- *err ? *err : "", fp);
+ err && *err ? *err : "", fp);
ret = 1;
goto end;
}
} else {
memprintf(err, "%sNo issuer found, cannot use the OCSP response'.\n",
- *err ? *err : "");
+ err && *err ? *err : "");
ret = 1;
goto end;
}
if (sctl_ex_index >= 0 && ckch->sctl) {
if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
- *err ? *err : "", path);
+ err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
/* Load OCSP Info into context */
if (ckch->ocsp_response) {
if (ssl_sock_load_ocsp(ctx, ckch) < 0) {
- if (err)
- memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
- *err ? *err : "", path);
+ memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
+ err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
conf_ssl_methods->min = min;
conf_ssl_methods->max = max;
if (!min) {
- if (err)
- memprintf(err, "%sProxy '%s': all SSL/TLS versions are disabled for bind '%s' at [%s:%d].\n",
- *err ? *err : "", bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': all SSL/TLS versions are disabled for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
}
if (ca_file) {
/* load CAfile to verify */
if (!SSL_CTX_load_verify_locations(ctx, ca_file, NULL)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to load CA file '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to load CA file '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
}
}
else {
- if (err)
- memprintf(err, "%sProxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
if (!store || !X509_STORE_load_locations(store, crl_file, NULL)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, crl_file, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, crl_file, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
else {
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
if(bind_conf->keys_ref) {
if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
}
conf_ciphers = (ssl_conf && ssl_conf->ciphers) ? ssl_conf->ciphers : bind_conf->ssl_conf.ciphers;
if (conf_ciphers &&
!SSL_CTX_set_cipher_list(ctx, conf_ciphers)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set SSL cipher list to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, conf_ciphers, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set SSL cipher list to '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, conf_ciphers, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
if (conf_ciphersuites &&
!SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set TLS 1.3 cipher suites to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set TLS 1.3 cipher suites to '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#endif
}
if (dhe_found) {
- if (err)
- memprintf(err, "%sSetting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n", *err ? *err : "");
+ memprintf(err, "%sSetting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n",
+ err && *err ? *err : "");
cfgerr |= ERR_WARN;
}
conf_curves = (ssl_conf && ssl_conf->curves) ? ssl_conf->curves : bind_conf->ssl_conf.curves;
if (conf_curves) {
if (!SSL_CTX_set1_curves_list(ctx, conf_curves)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set SSL curves list to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set SSL curves list to '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#if defined(SSL_CTX_set_ecdh_auto)
i = OBJ_sn2nid(ecdhe);
if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
else {
static int ssl_bind_parse_ca_file(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
+ memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
static int bind_parse_ca_sign_file(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
+ memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
static int bind_parse_ca_sign_pass(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAkey password", args[cur_arg]);
+ memprintf(err, "'%s' : missing CAkey password", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
memprintf(&conf->ca_sign_pass, "%s", args[cur_arg + 1]);
static int ssl_bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
#ifndef X509_V_FLAG_CRL_CHECK
- if (err)
- memprintf(err, "'%s' : library does not support CRL verify", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support CRL verify", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CRLfile path", args[cur_arg]);
+ memprintf(err, "'%s' : missing CRLfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
{
#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing curve suite", args[cur_arg]);
+ memprintf(err, "'%s' : missing curve suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
conf->curves = strdup(args[cur_arg + 1]);
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support curve suite", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support curve suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
static int ssl_bind_parse_ecdhe(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
#if HA_OPENSSL_VERSION_NUMBER < 0x0090800fL
- if (err)
- memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (too old)", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (too old)", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#elif defined(OPENSSL_NO_ECDH)
- if (err)
- memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (disabled via OPENSSL_NO_ECDH)", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (disabled via OPENSSL_NO_ECDH)", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing named curve", args[cur_arg]);
+ memprintf(err, "'%s' : missing named curve", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
unsigned long long *ignerr = &conf->crt_ignerr;
if (!*p) {
- if (err)
- memprintf(err, "'%s' : missing error IDs list", args[cur_arg]);
+ memprintf(err, "'%s' : missing error IDs list", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
while (p) {
code = atoi(p);
if ((code <= 0) || (code > 63)) {
- if (err)
- memprintf(err, "'%s' : ID '%d' out of range (1..63) in error IDs list '%s'",
- args[cur_arg], code, args[cur_arg + 1]);
+ memprintf(err, "'%s' : ID '%d' out of range (1..63) in error IDs list '%s'",
+ args[cur_arg], code, args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
*ignerr |= 1ULL << code;
goto fail;
return 0;
fail:
- if (err)
- memprintf(err, "'%s' : option not implemented", arg);
+ memprintf(err, "'%s' : option not implemented", arg);
return ERR_ALERT | ERR_FATAL;
}
uint16_t i, v = 0;
char *argv = args[cur_arg + 1];
if (!*argv) {
- if (err)
- memprintf(err, "'%s' : missing the ssl/tls version", args[cur_arg]);
+ memprintf(err, "'%s' : missing the ssl/tls version", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (!strcmp(argv, methodVersions[i].name))
v = i;
if (!v) {
- if (err)
- memprintf(err, "'%s' : unknown ssl/tls version", args[cur_arg + 1]);
+ memprintf(err, "'%s' : unknown ssl/tls version", args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
if (!strcmp("ssl-min-ver", args[cur_arg]))
else if (!strcmp("ssl-max-ver", args[cur_arg]))
methods->max = v;
else {
- if (err)
- memprintf(err, "'%s' : option not implemented", args[cur_arg]);
+ memprintf(err, "'%s' : option not implemented", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
return 0;
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS NPN extension", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS NPN extension", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS ALPN extension", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS ALPN extension", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
struct tls_keys_ref *keys_ref = NULL;
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing TLS ticket keys file path", args[cur_arg]);
+ memprintf(err, "'%s' : missing TLS ticket keys file path", args[cur_arg]);
goto fail;
}
keys_ref = calloc(1, sizeof(*keys_ref));
if (!keys_ref) {
- if (err)
- memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
goto fail;
}
keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(union tls_sess_key));
if (!keys_ref->tlskeys) {
- if (err)
- memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
goto fail;
}
if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
- if (err)
- memprintf(err, "'%s' : unable to load ssl tickets keys file", args[cur_arg+1]);
+ memprintf(err, "'%s' : unable to load ssl tickets keys file", args[cur_arg+1]);
goto fail;
}
keys_ref->filename = strdup(args[cur_arg + 1]);
if (!keys_ref->filename) {
- if (err)
- memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
goto fail;
}
dec_size = base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(union tls_sess_key));
if (dec_size < 0) {
- if (err)
- memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
+ memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
goto fail;
}
else if (!keys_ref->key_size_bits && (dec_size == sizeof(struct tls_sess_key_128))) {
else if (((dec_size != sizeof(struct tls_sess_key_128)) && (dec_size != sizeof(struct tls_sess_key_256)))
|| ((dec_size == sizeof(struct tls_sess_key_128) && (keys_ref->key_size_bits != 128)))
|| ((dec_size == sizeof(struct tls_sess_key_256) && (keys_ref->key_size_bits != 256)))) {
- if (err)
- memprintf(err, "'%s' : wrong sized key on line %d", args[cur_arg+1], i + 1);
+ memprintf(err, "'%s' : wrong sized key on line %d", args[cur_arg+1], i + 1);
goto fail;
}
i++;
}
if (i < TLS_TICKETS_NO) {
- if (err)
- memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
+ memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
goto fail;
}
return ERR_ALERT | ERR_FATAL;
#else
- if (err)
- memprintf(err, "'%s' : TLS ticket callback extension not supported", args[cur_arg]);
+ memprintf(err, "'%s' : TLS ticket callback extension not supported", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
}
static int ssl_bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing verify method", args[cur_arg]);
+ memprintf(err, "'%s' : missing verify method", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
else if (strcmp(args[cur_arg + 1], "required") == 0)
conf->verify = SSL_SOCK_VERIFY_REQUIRED;
else {
- if (err)
- memprintf(err, "'%s' : unknown verify method '%s', only 'none', 'optional', and 'required' are supported\n",
- args[cur_arg], args[cur_arg + 1]);
+ memprintf(err, "'%s' : unknown verify method '%s', only 'none', 'optional', and 'required' are supported\n",
+ args[cur_arg], args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS NPN extension", args[*cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS NPN extension", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS ALPN extension", args[*cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS ALPN extension", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAfile path", args[*cur_arg]);
+ memprintf(err, "'%s' : missing CAfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
+ memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
#ifndef X509_V_FLAG_CRL_CHECK
- if (err)
- memprintf(err, "'%s' : library does not support CRL verify", args[*cur_arg]);
+ memprintf(err, "'%s' : library does not support CRL verify", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CRLfile path", args[*cur_arg]);
+ memprintf(err, "'%s' : missing CRLfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]);
+ memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing verify method", args[*cur_arg]);
+ memprintf(err, "'%s' : missing verify method", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
else if (strcmp(args[*cur_arg + 1], "required") == 0)
newsrv->ssl_ctx.verify = SSL_SOCK_VERIFY_REQUIRED;
else {
- if (err)
- memprintf(err, "'%s' : unknown verify method '%s', only 'none' and 'required' are supported\n",
- args[*cur_arg], args[*cur_arg + 1]);
+ memprintf(err, "'%s' : unknown verify method '%s', only 'none' and 'required' are supported\n",
+ args[*cur_arg], args[*cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing hostname to verify against", args[*cur_arg]);
+ memprintf(err, "'%s' : missing hostname to verify against", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
projects / haproxy-2.3.git / commitdiff