This commit removes the explicit checks for `if (err)` before
passing `err` to `memprintf`. `memprintf` already checks itself
whether the `**out*` parameter is `NULL` before doing anything.
This reduces the indentation depth and makes the code more readable,
before there is less boilerplate code.
Instead move the check into the ternary conditional when the error
message should be appended to a previous message. This is consistent
with the rest of ssl_sock.c and with the rest of HAProxy.
Thus this patch is the arguably cleaner fix for issue #374 and builds
upon
5f1fa7db86c53827c97f8a8c3f5fa75bfcb5be9a and
8b453912ce9a4e1a3b1329efb2af04d1e470852e
Additionally it fixes a few places where the check *still* was missing.
---
src/ssl_sock.c | 187 ++++++++++++++++++-------------------------------
1 file changed, 69 insertions(+), 118 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bcfa3e712..94e814132 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3084,7 +3084,7 @@ static int ssl_sock_load_issuer_file_into_ckch(const char
*path, char *buf, stru
issuer = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
if (!issuer) {
memprintf(err, "%s'%s' cannot be read or parsed'.\n",
- *err ? *err : "", path);
+ err && *err ? *err : "", path);
goto end;
}
ret = 0;
@@ -3275,7 +3275,7 @@ static int ssl_sock_load_files_into_ckch(const char
*path, struct cert_key_and_c
if (stat(fp, &st) == 0) {
if (ssl_sock_load_sctl_from_file(fp, NULL, ckch, err)) {
memprintf(err, "%s '%s.sctl' is present but
cannot be read or parsed'.\n",
- *err ? *err : "", fp);
+ err && *err ? *err : "", fp);
ret = 1;
goto end;
}
@@ -3326,13 +3326,13 @@ static int ssl_sock_load_files_into_ckch(const char
*path, struct cert_key_and_c
if (X509_check_issued(ckch->ocsp_issuer,
ckch->cert) != X509_V_OK) {
memprintf(err, "%s '%s' is not an
issuer'.\n",
- *err ? *err : "", fp);
+ err && *err ? *err : "", fp);
ret = 1;
goto end;
}
} else {
memprintf(err, "%sNo issuer found, cannot use
the OCSP response'.\n",
- *err ? *err : "");
+ err && *err ? *err : "");
ret = 1;
goto end;
}
@@ -3420,7 +3420,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path,
const struct cert_key_an
if (sctl_ex_index >= 0 && ckch->sctl) {
if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
memprintf(err, "%s '%s.sctl' is present but cannot be
read or parsed'.\n",
- *err ? *err : "", path);
+ err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
@@ -3431,9 +3431,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path,
const struct cert_key_an
/* Load OCSP Info into context */
if (ckch->ocsp_response) {
if (ssl_sock_load_ocsp(ctx, ckch) < 0) {
- if (err)
- memprintf(err, "%s '%s.ocsp' is present and
activates OCSP but it is impossible to compute the OCSP certificate ID (maybe
the issuer could not be found)'.\n",
- *err ? *err : "", path);
+ memprintf(err, "%s '%s.ocsp' is present and activates
OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer
could not be found)'.\n",
+ err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
@@ -4851,9 +4850,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
conf_ssl_methods->min = min;
conf_ssl_methods->max = max;
if (!min) {
- if (err)
- memprintf(err, "%sProxy '%s': all SSL/TLS
versions are disabled for bind '%s' at [%s:%d].\n",
- *err ? *err : "",
bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': all SSL/TLS versions are
disabled for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "",
bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
}
@@ -4876,9 +4874,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
if (ca_file) {
/* load CAfile to verify */
if (!SSL_CTX_load_verify_locations(ctx, ca_file, NULL))
{
- if (err)
- memprintf(err, "%sProxy '%s': unable to
load CA file '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "",
curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to load CA
file '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "",
curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
if (!((ssl_conf && ssl_conf->no_ca_names) ||
bind_conf->ssl_conf.no_ca_names)) {
@@ -4887,9 +4884,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
}
}
else {
- if (err)
- memprintf(err, "%sProxy '%s': verify is enabled
but no CA file specified for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id,
bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': verify is enabled but no
CA file specified for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#ifdef X509_V_FLAG_CRL_CHECK
@@ -4897,9 +4893,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
if (!store || !X509_STORE_load_locations(store,
crl_file, NULL)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to
configure CRL file '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "",
curproxy->id, crl_file, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to
configure CRL file '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "",
curproxy->id, crl_file, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
else {
@@ -4912,9 +4907,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
if(bind_conf->keys_ref) {
if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx,
ssl_tlsext_ticket_key_cb)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set
callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id,
bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set callback
for TLS ticket validation for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
}
@@ -4924,9 +4918,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
conf_ciphers = (ssl_conf && ssl_conf->ciphers) ? ssl_conf->ciphers :
bind_conf->ssl_conf.ciphers;
if (conf_ciphers &&
!SSL_CTX_set_cipher_list(ctx, conf_ciphers)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set SSL cipher
list to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id, conf_ciphers,
bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set SSL cipher list to
'%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, conf_ciphers,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
@@ -4934,9 +4927,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ?
ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
if (conf_ciphersuites &&
!SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set TLS 1.3
cipher suites to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id,
conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set TLS 1.3 cipher
suites to '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id,
conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#endif
@@ -4983,8 +4975,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
}
if (dhe_found) {
- if (err)
- memprintf(err, "%sSetting
tune.ssl.default-dh-param to 1024 by default, if your workload permits it you
should set it to at least 2048. Please set a value >= 1024 to make this warning
disappear.\n", *err ? *err : "");
+ memprintf(err, "%sSetting tune.ssl.default-dh-param to
1024 by default, if your workload permits it you should set it to at least
2048. Please set a value >= 1024 to make this warning disappear.\n",
+ err && *err ? *err : "");
cfgerr |= ERR_WARN;
}
@@ -5035,9 +5027,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
conf_curves = (ssl_conf && ssl_conf->curves) ? ssl_conf->curves :
bind_conf->ssl_conf.curves;
if (conf_curves) {
if (!SSL_CTX_set1_curves_list(ctx, conf_curves)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set SSL
curves list to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id,
conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set SSL curves
list to '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id,
conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#if defined(SSL_CTX_set_ecdh_auto)
@@ -5066,9 +5057,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
struct ssl_bind_conf *ssl_
i = OBJ_sn2nid(ecdhe);
if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) {
- if (err)
- memprintf(err, "%sProxy '%s': unable to set
elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
- *err ? *err : "", curproxy->id,
ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line);
+ memprintf(err, "%sProxy '%s': unable to set elliptic
named curve to '%s' for bind '%s' at [%s:%d].\n",
+ err && *err ? *err : "", curproxy->id, ecdhe,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
else {
@@ -8325,8 +8315,7 @@ smp_fetch_ssl_c_verify(const struct arg *args, struct
sample *smp, const char *k
static int ssl_bind_parse_ca_file(char **args, int cur_arg, struct proxy *px,
struct ssl_bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAfile path",
args[cur_arg]);
+ memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -8346,8 +8335,7 @@ static int bind_parse_ca_file(char **args, int cur_arg,
struct proxy *px, struct
static int bind_parse_ca_sign_file(char **args, int cur_arg, struct proxy *px,
struct bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAfile path",
args[cur_arg]);
+ memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -8363,8 +8351,7 @@ static int bind_parse_ca_sign_file(char **args, int
cur_arg, struct proxy *px, s
static int bind_parse_ca_sign_pass(char **args, int cur_arg, struct proxy *px,
struct bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAkey password",
args[cur_arg]);
+ memprintf(err, "'%s' : missing CAkey password", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
memprintf(&conf->ca_sign_pass, "%s", args[cur_arg + 1]);
@@ -8450,13 +8437,11 @@ static int bind_parse_crt_list(char **args, int
cur_arg, struct proxy *px, struc
static int ssl_bind_parse_crl_file(char **args, int cur_arg, struct proxy *px,
struct ssl_bind_conf *conf, char **err)
{
#ifndef X509_V_FLAG_CRL_CHECK
- if (err)
- memprintf(err, "'%s' : library does not support CRL verify",
args[cur_arg]);
+ memprintf(err, "'%s' : library does not support CRL verify",
args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CRLfile path",
args[cur_arg]);
+ memprintf(err, "'%s' : missing CRLfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -8478,15 +8463,13 @@ static int ssl_bind_parse_curves(char **args, int
cur_arg, struct proxy *px, str
{
#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing curve suite",
args[cur_arg]);
+ memprintf(err, "'%s' : missing curve suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
conf->curves = strdup(args[cur_arg + 1]);
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support curve suite",
args[cur_arg]);
+ memprintf(err, "'%s' : library does not support curve suite",
args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
@@ -8499,17 +8482,14 @@ static int bind_parse_curves(char **args, int cur_arg,
struct proxy *px, struct
static int ssl_bind_parse_ecdhe(char **args, int cur_arg, struct proxy *px,
struct ssl_bind_conf *conf, char **err)
{
#if HA_OPENSSL_VERSION_NUMBER < 0x0090800fL
- if (err)
- memprintf(err, "'%s' : library does not support elliptic curve
Diffie-Hellman (too old)", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support elliptic curve
Diffie-Hellman (too old)", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#elif defined(OPENSSL_NO_ECDH)
- if (err)
- memprintf(err, "'%s' : library does not support elliptic curve
Diffie-Hellman (disabled via OPENSSL_NO_ECDH)", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support elliptic curve
Diffie-Hellman (disabled via OPENSSL_NO_ECDH)", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing named curve",
args[cur_arg]);
+ memprintf(err, "'%s' : missing named curve", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -8531,8 +8511,7 @@ static int bind_parse_ignore_err(char **args, int
cur_arg, struct proxy *px, str
unsigned long long *ignerr = &conf->crt_ignerr;
if (!*p) {
- if (err)
- memprintf(err, "'%s' : missing error IDs list",
args[cur_arg]);
+ memprintf(err, "'%s' : missing error IDs list", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -8547,9 +8526,8 @@ static int bind_parse_ignore_err(char **args, int
cur_arg, struct proxy *px, str
while (p) {
code = atoi(p);
if ((code <= 0) || (code > 63)) {
- if (err)
- memprintf(err, "'%s' : ID '%d' out of range
(1..63) in error IDs list '%s'",
- args[cur_arg], code, args[cur_arg +
1]);
+ memprintf(err, "'%s' : ID '%d' out of range (1..63) in
error IDs list '%s'",
+ args[cur_arg], code, args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
*ignerr |= 1ULL << code;
@@ -8590,8 +8568,7 @@ static int parse_tls_method_options(char *arg, struct
tls_version_filter *method
goto fail;
return 0;
fail:
- if (err)
- memprintf(err, "'%s' : option not implemented", arg);
+ memprintf(err, "'%s' : option not implemented", arg);
return ERR_ALERT | ERR_FATAL;
}
@@ -8611,16 +8588,14 @@ static int parse_tls_method_minmax(char **args, int
cur_arg, struct tls_version_
uint16_t i, v = 0;
char *argv = args[cur_arg + 1];
if (!*argv) {
- if (err)
- memprintf(err, "'%s' : missing the ssl/tls version",
args[cur_arg]);
+ memprintf(err, "'%s' : missing the ssl/tls version",
args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (!strcmp(argv, methodVersions[i].name))
v = i;
if (!v) {
- if (err)
- memprintf(err, "'%s' : unknown ssl/tls version",
args[cur_arg + 1]);
+ memprintf(err, "'%s' : unknown ssl/tls version", args[cur_arg +
1]);
return ERR_ALERT | ERR_FATAL;
}
if (!strcmp("ssl-min-ver", args[cur_arg]))
@@ -8628,8 +8603,7 @@ static int parse_tls_method_minmax(char **args, int
cur_arg, struct tls_version_
else if (!strcmp("ssl-max-ver", args[cur_arg]))
methods->max = v;
else {
- if (err)
- memprintf(err, "'%s' : option not implemented",
args[cur_arg]);
+ memprintf(err, "'%s' : option not implemented", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
return 0;
@@ -8718,8 +8692,7 @@ static int ssl_bind_parse_npn(char **args, int cur_arg,
struct proxy *px, struct
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS NPN
extension", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS NPN extension",
args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
@@ -8774,8 +8747,7 @@ static int ssl_bind_parse_alpn(char **args, int cur_arg,
struct proxy *px, struc
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS ALPN
extension", args[cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS ALPN extension",
args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
@@ -8843,8 +8815,7 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
struct tls_keys_ref *keys_ref = NULL;
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing TLS ticket keys file
path", args[cur_arg]);
+ memprintf(err, "'%s' : missing TLS ticket keys file path",
args[cur_arg]);
goto fail;
}
@@ -8857,28 +8828,24 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
keys_ref = calloc(1, sizeof(*keys_ref));
if (!keys_ref) {
- if (err)
- memprintf(err, "'%s' : allocation error",
args[cur_arg+1]);
+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
goto fail;
}
keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(union tls_sess_key));
if (!keys_ref->tlskeys) {
- if (err)
- memprintf(err, "'%s' : allocation error",
args[cur_arg+1]);
+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
goto fail;
}
if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
- if (err)
- memprintf(err, "'%s' : unable to load ssl tickets keys
file", args[cur_arg+1]);
+ memprintf(err, "'%s' : unable to load ssl tickets keys file",
args[cur_arg+1]);
goto fail;
}
keys_ref->filename = strdup(args[cur_arg + 1]);
if (!keys_ref->filename) {
- if (err)
- memprintf(err, "'%s' : allocation error",
args[cur_arg+1]);
+ memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
goto fail;
}
@@ -8896,8 +8863,7 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
dec_size = base64dec(thisline, len, (char *) (keys_ref->tlskeys
+ i % TLS_TICKETS_NO), sizeof(union tls_sess_key));
if (dec_size < 0) {
- if (err)
- memprintf(err, "'%s' : unable to decode base64
key on line %d", args[cur_arg+1], i + 1);
+ memprintf(err, "'%s' : unable to decode base64 key on
line %d", args[cur_arg+1], i + 1);
goto fail;
}
else if (!keys_ref->key_size_bits && (dec_size == sizeof(struct
tls_sess_key_128))) {
@@ -8909,16 +8875,14 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
else if (((dec_size != sizeof(struct tls_sess_key_128)) &&
(dec_size != sizeof(struct tls_sess_key_256)))
|| ((dec_size == sizeof(struct tls_sess_key_128) &&
(keys_ref->key_size_bits != 128)))
|| ((dec_size == sizeof(struct tls_sess_key_256) &&
(keys_ref->key_size_bits != 256)))) {
- if (err)
- memprintf(err, "'%s' : wrong sized key on line
%d", args[cur_arg+1], i + 1);
+ memprintf(err, "'%s' : wrong sized key on line %d",
args[cur_arg+1], i + 1);
goto fail;
}
i++;
}
if (i < TLS_TICKETS_NO) {
- if (err)
- memprintf(err, "'%s' : please supply at least %d keys
in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
+ memprintf(err, "'%s' : please supply at least %d keys in the
tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
goto fail;
}
@@ -8947,8 +8911,7 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
return ERR_ALERT | ERR_FATAL;
#else
- if (err)
- memprintf(err, "'%s' : TLS ticket callback extension not
supported", args[cur_arg]);
+ memprintf(err, "'%s' : TLS ticket callback extension not supported",
args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
}
@@ -8957,8 +8920,7 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
static int ssl_bind_parse_verify(char **args, int cur_arg, struct proxy *px,
struct ssl_bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing verify method",
args[cur_arg]);
+ memprintf(err, "'%s' : missing verify method", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -8969,9 +8931,8 @@ static int ssl_bind_parse_verify(char **args, int
cur_arg, struct proxy *px, str
else if (strcmp(args[cur_arg + 1], "required") == 0)
conf->verify = SSL_SOCK_VERIFY_REQUIRED;
else {
- if (err)
- memprintf(err, "'%s' : unknown verify method '%s', only
'none', 'optional', and 'required' are supported\n",
- args[cur_arg], args[cur_arg + 1]);
+ memprintf(err, "'%s' : unknown verify method '%s', only 'none',
'optional', and 'required' are supported\n",
+ args[cur_arg], args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
@@ -9042,8 +9003,7 @@ static int srv_parse_npn(char **args, int *cur_arg,
struct proxy *px, struct ser
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS NPN
extension", args[*cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS NPN extension",
args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
@@ -9103,8 +9063,7 @@ static int srv_parse_alpn(char **args, int *cur_arg,
struct proxy *px, struct se
}
return 0;
#else
- if (err)
- memprintf(err, "'%s' : library does not support TLS ALPN
extension", args[*cur_arg]);
+ memprintf(err, "'%s' : library does not support TLS ALPN extension",
args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
@@ -9113,8 +9072,7 @@ static int srv_parse_alpn(char **args, int *cur_arg,
struct proxy *px, struct se
static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px,
struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CAfile path",
args[*cur_arg]);
+ memprintf(err, "'%s' : missing CAfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -9130,8 +9088,7 @@ static int srv_parse_ca_file(char **args, int *cur_arg,
struct proxy *px, struct
static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px,
struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
+ memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -9196,13 +9153,11 @@ static int srv_parse_ciphersuites(char **args, int
*cur_arg, struct proxy *px, s
static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px,
struct server *newsrv, char **err)
{
#ifndef X509_V_FLAG_CRL_CHECK
- if (err)
- memprintf(err, "'%s' : library does not support CRL verify",
args[*cur_arg]);
+ memprintf(err, "'%s' : library does not support CRL verify",
args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing CRLfile path",
args[*cur_arg]);
+ memprintf(err, "'%s' : missing CRLfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -9219,8 +9174,7 @@ static int srv_parse_crl_file(char **args, int *cur_arg,
struct proxy *px, struc
static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct
server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing certificate file path",
args[*cur_arg]);
+ memprintf(err, "'%s' : missing certificate file path",
args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -9358,8 +9312,7 @@ static int srv_parse_tls_tickets(char **args, int
*cur_arg, struct proxy *px, st
static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px,
struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing verify method",
args[*cur_arg]);
+ memprintf(err, "'%s' : missing verify method", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
@@ -9368,9 +9321,8 @@ static int srv_parse_verify(char **args, int *cur_arg,
struct proxy *px, struct
else if (strcmp(args[*cur_arg + 1], "required") == 0)
newsrv->ssl_ctx.verify = SSL_SOCK_VERIFY_REQUIRED;
else {
- if (err)
- memprintf(err, "'%s' : unknown verify method '%s', only
'none' and 'required' are supported\n",
- args[*cur_arg], args[*cur_arg + 1]);
+ memprintf(err, "'%s' : unknown verify method '%s', only 'none'
and 'required' are supported\n",
+ args[*cur_arg], args[*cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
@@ -9381,8 +9333,7 @@ static int srv_parse_verify(char **args, int *cur_arg,
struct proxy *px, struct
static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px,
struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
- if (err)
- memprintf(err, "'%s' : missing hostname to verify
against", args[*cur_arg]);
+ memprintf(err, "'%s' : missing hostname to verify against",
args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
--
2.24.0
