Google Git
Sign in
apache / kudu / 63d40ab6e44630f52eb52be96edba05e95fb2f0c / . / thirdparty / patches / curl-handle-openssl-errors.patch
blob: 73626dc71a27ee267430026cee4514fb15058ffe [file] [log] [blame]
--- a/lib/vtls/openssl.c 2023-05-03 19:15:43.000000000 -0700
+++ b/lib/vtls/openssl.c 2023-05-04 20:58:10.000000000 -0700
@@ -405,6 +405,18 @@
return buf;
}
+static void ossl_error_details(struct Curl_easy *data, const char *err_msg) {
+ char err_buf[256];
+ while(true) {
+ unsigned long ssl_err = ERR_get_error();
+ if(!ssl_err) {
+ break;
+ }
+ ossl_strerror(ssl_err, err_buf, sizeof(err_buf));
+ failf(data, "%s: %s", err_msg, err_buf);
+ }
+}
+
/* Return an extra data index for the connection data.
* This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
*/
@@ -796,14 +808,17 @@
}
if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
- failf(data, "unable to use private key from PKCS12 file '%s'",
- cert_file);
+ failf(data, "unable to use private key from PKCS12 file '%s': %s",
+ cert_file, ossl_strerror(ERR_get_error(), error_buffer,
+ sizeof(error_buffer)));
goto fail;
}
- if(!SSL_CTX_check_private_key (ctx)) {
+ if(SSL_CTX_check_private_key(ctx) != 1) {
failf(data, "private key from PKCS12 file '%s' "
- "does not match certificate in same file", cert_file);
+ "does not match certificate in same file: %s", cert_file,
+ ossl_strerror(ERR_get_error(), error_buffer,
+ sizeof(error_buffer)));
goto fail;
}
/* Set Certificate Verification chain */
@@ -860,8 +875,10 @@
/* FALLTHROUGH */
case SSL_FILETYPE_ASN1:
if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
- failf(data, "unable to set private key file: '%s' type %s",
- key_file, key_type?key_type:"PEM");
+ failf(data, "unable to set private key file: '%s' type %s: %s",
+ key_file, key_type ? key_type : "PEM",
+ ossl_strerror(ERR_get_error(), error_buffer,
+ sizeof(error_buffer)));
return 0;
}
break;
@@ -903,7 +920,9 @@
return 0;
}
if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
- failf(data, "unable to set private key");
+ failf(data, "unable to set private key: %s",
+ ossl_strerror(ERR_get_error(), error_buffer,
+ sizeof(error_buffer)));
EVP_PKEY_free(priv_key);
return 0;
}
@@ -975,7 +994,9 @@
/* Now we know that a key and cert have been set against
* the SSL context */
if(!SSL_CTX_check_private_key(ctx)) {
- failf(data, "Private key does not match the certificate public key");
+ failf(data, "private key does not match the certificate public key: %s",
+ ossl_strerror(ERR_get_error(), error_buffer,
+ sizeof(error_buffer)));
return 0;
}
}
@@ -2724,18 +2745,21 @@
/* tell SSL where to find CA certificates that are used to verify
the servers certificate. */
if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
+
+ static const char * const err_msg =
+ "error setting certificate verify locations";
if(verifypeer) {
/* Fail if we insist on successfully verifying the server. */
- failf(data, "error setting certificate verify locations:\n"
- " CAfile: %s\n CApath: %s",
+ failf(data, "%s:\n CAfile: %s\n CApath: %s",
+ err_msg,
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
+ ossl_error_details(data, err_msg);
return CURLE_SSL_CACERT_BADFILE;
}
/* Just continue with a warning if no strict certificate verification
is required. */
- infof(data, "error setting certificate verify locations,"
- " continuing anyway:\n");
+ infof(data, "%s, continuing anyway:\n", err_msg);
}
else {
/* Everything is fine. */
@@ -2762,7 +2786,9 @@
X509_LOOKUP_file());
if(!lookup ||
(!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) {
- failf(data, "error loading CRL file: %s", ssl_crlfile);
+ static const char * const err_msg = "error loading CRL file";
+ failf(data, "%s: %s", err_msg, ssl_crlfile);
+ ossl_error_details(data, err_msg);
return CURLE_SSL_CRL_BADFILE;
}
/* Everything is fine. */
@@ -2994,6 +3020,8 @@
result = CURLE_SSL_CONNECT_ERROR;
ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
}
+ // Clear the rest of the errors as well.
+ ERR_clear_error();
/* detail is already set to the SSL error above */