tls_mgm: fix skipping invalid TLS domain definitions in the script

(cherry picked from commit 71ca569)
OpenSIPS · Jun 26, 2017 · 05e6a0a · 05e6a0a
1 parent 0ba2702
commit 05e6a0a
Showing 1 changed file with 154 additions and 123 deletions.
diff --git a/modules/tls_mgm/tls_mgm.c b/modules/tls_mgm/tls_mgm.c
@@ -1157,119 +1157,139 @@ static int load_private_key_db(SSL_CTX * ctx, str *blob)
 }
 
 
-/*
- * initialize tls virtual domains
- */
-static void init_tls_domains(struct tls_domain **dom)
+static int init_tls_dom(struct tls_domain *d)
 {
-	struct tls_domain *d, *tmp, *prev = NULL;
 	int from_file = 0;
 
-	d = *dom;
-	while (d) {
-		LM_INFO("Processing TLS domain '%.*s'\n",
+	LM_INFO("Processing TLS domain '%.*s'\n",
+			d->name.len, ZSW(d->name.s));
+
+	/*
+	 * set method
+	 */
+	if (d->method == TLS_METHOD_UNSPEC) {
+		LM_DBG("no method for tls domain '%.*s', using default\n",
 				d->name.len, ZSW(d->name.s));
+		d->method = tls_default_method;
+	}
 
-		/*
-		 * set method
-		 */
-		if (d->method == TLS_METHOD_UNSPEC) {
-			LM_DBG("no method for tls domain '%.*s', using default\n",
-					d->name.len, ZSW(d->name.s));
-			d->method = tls_default_method;
-		}
+	/*
+	 * create context
+	 */
+	d->ctx = SSL_CTX_new(ssl_methods[d->method - 1]);
+	if (d->ctx == NULL) {
+		LM_ERR("cannot create ssl context for tls domain '%.*s'\n",
+			d->name.len, ZSW(d->name.s));
+		return -1;
+	}
 
-		/*
-		 * create context
-		 */
-		d->ctx = SSL_CTX_new(ssl_methods[d->method - 1]);
-		if (d->ctx == NULL) {
-			LM_ERR("cannot create ssl context for tls domain '%.*s'\n",
-				d->name.len, ZSW(d->name.s));
-			goto err_cont;
-		}
+	if (init_ssl_ctx_behavior(d) < 0)
+		return -1;
 
-		if (init_ssl_ctx_behavior(d) < 0)
-			goto err_cont;
+	/*
+	 * load certificate
+	 */
+	if (!d->cert.s) {
+		from_file = 1;
+		LM_NOTICE("no certificate for tls domain '%.*s' defined, using default '%s'\n",
+				d->name.len, ZSW(d->name.s), tls_cert_file);
+		d->cert.s = tls_cert_file;
+		d->cert.len = len(tls_cert_file);
+	}
 
-		/*
-		 * load certificate
-		 */
-		if (!d->cert.s) {
-			from_file = 1;
-			LM_NOTICE("no certificate for tls domain '%.*s' defined, using default '%s'\n",
-					d->name.len, ZSW(d->name.s), tls_cert_file);
-			d->cert.s = tls_cert_file;
-			d->cert.len = len(tls_cert_file);
-		}
+	if (!(d->type & TLS_DOMAIN_DB) || from_file) {
+		if (load_certificate(d->ctx, d->cert.s) < 0)
+			return -1;
+	} else
+		if (load_certificate_db(d->ctx, &d->cert) < 0)
+			return -1;
 
-		if (!(d->type & TLS_DOMAIN_DB) || from_file) {
-			if (load_certificate(d->ctx, d->cert.s) < 0)
-				goto err_cont;
-		} else
-			if (load_certificate_db(d->ctx, &d->cert) < 0)
-				goto err_cont;
+	from_file = 0;
 
-		from_file = 0;
+	/**
+	 * load crl from directory
+	 */
+	if (!d->crl_directory) {
+		LM_NOTICE("no crl for tls, using none\n");
+	} else {
+		if(load_crl(d->ctx, d->crl_directory, d->crl_check_all) < 0)
+			return -1;
+	}
 
-		/**
-		 * load crl from directory
-		 */
-		if (!d->crl_directory) {
-			LM_NOTICE("no crl for tls, using none\n");
-		} else {
-			if(load_crl(d->ctx, d->crl_directory, d->crl_check_all) < 0)
-				goto err_cont;
-		}
+	/*
+	 * load ca
+	 */
+	if (!d->ca.s) {
+		from_file = 1;
+		LM_NOTICE("no CA list for tls domain '%.*s' defined, using default '%s'\n",
+				d->name.len, ZSW(d->name.s), tls_ca_file);
+		d->ca.s = tls_ca_file;
+		d->ca.len = len(tls_ca_file);
+	}
 
-		/*
-		 * load ca
-		 */
-		if (!d->ca.s) {
-			from_file = 1;
-			LM_NOTICE("no CA list for tls domain '%.*s' defined, using default '%s'\n",
-					d->name.len, ZSW(d->name.s), tls_ca_file);
-			d->ca.s = tls_ca_file;
-			d->ca.len = len(tls_ca_file);
-		}
+	if (!(d->type & TLS_DOMAIN_DB) || from_file) {
+		if (d->ca.s && load_ca(d->ctx, d->ca.s) < 0)
+			return -1;
+	} else {
+		if (load_ca_db(d->ctx, &d->ca) < 0)
+			return -1;
+	}
 
-		if (!(d->type & TLS_DOMAIN_DB) || from_file) {
-			if (d->ca.s && load_ca(d->ctx, d->ca.s) < 0)
-				goto err_cont;
-		} else {
-			if (load_ca_db(d->ctx, &d->ca) < 0)
-				goto err_cont;
-		}
-		from_file = 0;
-		/*
-		 * load ca from directory
-		 */
-		if (!d->ca_directory) {
-			LM_NOTICE("no CA dir for tls '%.*s' defined, using default '%s'\n",
-					d->name.len, ZSW(d->name.s), tls_ca_dir);
-			d->ca_directory = tls_ca_dir;
-		}
+	/*
+	 * load ca from directory
+	 */
+	if (!d->ca_directory) {
+		LM_NOTICE("no CA dir for tls '%.*s' defined, using default '%s'\n",
+				d->name.len, ZSW(d->name.s), tls_ca_dir);
+		d->ca_directory = tls_ca_dir;
+	}
 
-		if (d->ca_directory && load_ca_dir(d->ctx, d->ca_directory) < 0)
-			goto err_cont;
+	if (d->ca_directory && load_ca_dir(d->ctx, d->ca_directory) < 0)
+		return -1;
 
-		prev = d;
-		d = d->next;
-		continue;
-err_cont:
-		tmp = d;
-		if (d == *dom)
-			*dom = d->next;
-		d = d->next;
-		if (prev)
-			prev->next = d;
+	return 0;
+}
+
+/*
+ * initialize tls virtual domains
+ */
+static int init_tls_domains(struct tls_domain **dom)
+{
+	struct tls_domain *d, *tmp, *prev = NULL;
+	int from_file = 0;
+	int rc;
+	int db = 0;
 
-		if (tmp->ctx)
-			SSL_CTX_free(tmp->ctx);
-		lock_destroy(tmp->lock);
-		lock_dealloc(tmp->lock);
-		shm_free(tmp);
-		from_file = 0;
+	d = *dom;
+	while (d) {
+		if (init_tls_dom(d) < 0) {
+			db = d->type & TLS_DOMAIN_DB;
+			if (!db)
+				LM_ERR("Failed to init TLS domain '%.*s'\n", d->name.len, ZSW(d->name.s));
+			else
+				LM_WARN("Failed to init TLS domain '%.*s', skipping...\n",
+					d->name.len, ZSW(d->name.s));
+
+			if (d == *dom)
+				*dom = d->next;
+
+			if (prev)
+				prev->next = d->next;
+
+			tmp = d;
+			d = d->next;
+			if (tmp->ctx)
+				SSL_CTX_free(tmp->ctx);
+			lock_destroy(tmp->lock);
+			lock_dealloc(tmp->lock);
+			shm_free(tmp);
+
+			if (!db)
+				return -1;
+		} else {
+			prev = d;
+			d = d->next;
+		}
 	}
 
 	/*
@@ -1286,33 +1306,42 @@ static void init_tls_domains(struct tls_domain **dom)
 			from_file = 1;
 		}
 
-		if (!(d->type & TLS_DOMAIN_DB) || from_file) {
-			if (load_private_key(d->ctx, d->pkey.s) < 0)
-				goto err_cont_2;
-		} else {
-			if (load_private_key_db(d->ctx, &d->pkey) < 0)
-				goto err_cont_2;
-		}
+		if (!(d->type & TLS_DOMAIN_DB) || from_file)
+			rc = load_private_key(d->ctx, d->pkey.s);
+		else
+			rc = load_private_key_db(d->ctx, &d->pkey);
 
-		from_file = 0;
-		prev = d;
-		d = d->next;
-		continue;
-err_cont_2:
-		tmp = d;
-		if (d == *dom)
-			*dom = d->next;
-		d = d->next;
-		if (prev)
-			prev->next = d;
+		if (rc < 0) {
+			db = d->type & TLS_DOMAIN_DB;
+			if (!db)
+				LM_ERR("Failed to init TLS domain '%.*s'\n", d->name.len, ZSW(d->name.s));
+			else
+				LM_WARN("Failed to init TLS domain '%.*s', skipping...\n",
+					d->name.len, ZSW(d->name.s));
+
+			if (d == *dom)
+				*dom = d->next;
 
-		if (tmp->ctx)
-			SSL_CTX_free(tmp->ctx);
-		lock_destroy(tmp->lock);
-		lock_dealloc(tmp->lock);
-		shm_free(tmp);
-		from_file = 0;
+			if (prev)
+				prev->next = d->next;
+
+			tmp = d;
+			d = d->next;
+			if (tmp->ctx)
+				SSL_CTX_free(tmp->ctx);
+			lock_destroy(tmp->lock);
+			lock_dealloc(tmp->lock);
+			shm_free(tmp);
+
+			if (!db)
+				return -1;
+		} else {
+			prev = d;
+			d = d->next;
+		}
 	}
+
+	return 0;
 }
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
@@ -1772,8 +1801,10 @@ static int mod_init(void) {
 	}
 
 	/* initialize tls virtual domains */
-	init_tls_domains(tls_server_domains);
-	init_tls_domains(tls_client_domains);
+	if (init_tls_domains(tls_server_domains) < 0)
+		return -1;
+	if (init_tls_domains(tls_client_domains) < 0)
+		return -1;
 
 	return 0;
 }