openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-06-17 23:03:29 +02:00
Code Activity

relayd: drain OpenSSL error queue on TLS failures

Browse Source 
Borrowed from smtpd. Without draining we just log "RSA_meth_dup failed"
and lose the actual reason.

Wire ssl_error() into ca_engine_init(), which also kills a dead
RSA_meth_free() on a NULL pointer there, and into ssl_load_key()s fail
path.

Tweaks and OK tb
This commit is contained in:
rsadowski
2026-06-14 08:57:43 +00:00
parent 67a094f58b
commit 459bfe6c89
3 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
usr.sbin/relayd/ca.c
+4 -2
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: ca.c,v 1.53 2026/06/14 08:55:54 rsadowski Exp $ */
/* $OpenBSD: ca.c,v 1.54 2026/06/14 08:57:43 rsadowski Exp $ */
/*
* Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
@@ -476,6 +476,8 @@ ca_engine_init(struct relayd *x_env)
goto fail;
}
ERR_clear_error();
RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc);
RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec);
@@ -489,6 +491,6 @@ ca_engine_init(struct relayd *x_env)
return;
fail:
RSA_meth_free(rsae_method);
ssl_error(errstr);
fatalx("%s: %s", __func__, errstr);
}
usr.sbin/relayd/relayd.h
+2 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: relayd.h,v 1.285 2026/06/14 08:54:21 rsadowski Exp $ */
/* $OpenBSD: relayd.h,v 1.286 2026/06/14 08:57:43 rsadowski Exp $ */
/*
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -1286,6 +1286,7 @@ void script_done(struct relayd *, struct ctl_script *);
int script_exec(struct relayd *, struct ctl_script *);
/* ssl.c */
void ssl_error(const char *);
char *ssl_load_key(struct relayd *, const char *, off_t *, char *);
uint8_t *ssl_update_certificate(const uint8_t *, size_t, EVP_PKEY *,
EVP_PKEY *, X509 *, size_t *);
usr.sbin/relayd/ssl.c
+16 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: ssl.c,v 1.40 2026/05/21 14:56:34 tb Exp $ */
/* $OpenBSD: ssl.c,v 1.41 2026/06/14 08:57:43 rsadowski Exp $ */
/*
* Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -63,6 +63,8 @@ ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass)
if ((fp = fopen(name, "r")) == NULL)
return (NULL);
ERR_clear_error();
key = PEM_read_PrivateKey(fp, NULL, ssl_password_cb, pass);
fclose(fp);
if (key == NULL)
@@ -88,6 +90,7 @@ ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass)
return (buf);
fail:
ssl_error("ssl_load_key");
free(buf);
if (bio != NULL)
BIO_free_all(bio);
@@ -237,3 +240,15 @@ ssl_load_pkey(char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
return (0);
}
void
ssl_error(const char *where)
{
unsigned long code;
char errbuf[128];
for (; (code = ERR_get_error()) != 0 ;) {
ERR_error_string_n(code, errbuf, sizeof(errbuf));
log_warnx("SSL library error: %s: %s", where, errbuf);
}
}