From 9725bda766cd3ca1fa1d4c1ec0301a5bc6037234 Mon Sep 17 00:00:00 2001
From: Ben Laurie <ben@links.org>
Date: Tue, 24 Sep 2013 23:13:22 +0100
Subject: [PATCH] Show useful errors.

Conflicts:
	apps/s_server.c
---
 apps/s_server.c | 3 +++
 ssl/ssl.h       | 4 ++++
 ssl/ssl_err.c   | 4 ++++
 ssl/ssl_rsa.c   | 8 ++++----
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 9359161758..c4fe72dba0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1970,7 +1970,10 @@ bad:
 #ifndef OPENSSL_NO_TLSEXT
 	if (s_serverinfo_file != NULL
 	    && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file))
+		{
+		ERR_print_errors(bio_err);
 		goto end;
+		}
 	if (c_auth)
 		{
 		SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index a5d6ed096c..a41518414a 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2749,6 +2749,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_BAD_AUTHENTICATION_TYPE			 102
 #define SSL_R_BAD_CHANGE_CIPHER_SPEC			 103
 #define SSL_R_BAD_CHECKSUM				 104
+#define SSL_R_BAD_DATA					 390
 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK		 106
 #define SSL_R_BAD_DECOMPRESSION				 107
 #define SSL_R_BAD_DH_G_LENGTH				 108
@@ -2897,6 +2898,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NO_COMPRESSION_SPECIFIED			 187
 #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER		 330
 #define SSL_R_NO_METHOD_SPECIFIED			 188
+#define SSL_R_NO_PEM_EXTENSIONS				 389
 #define SSL_R_NO_PRIVATEKEY				 189
 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 190
 #define SSL_R_NO_PROTOCOLS_AVAILABLE			 191
@@ -2924,6 +2926,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_PEER_ERROR_NO_CERTIFICATE			 202
 #define SSL_R_PEER_ERROR_NO_CIPHER			 203
 #define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	 204
+#define SSL_R_PEM_NAME_BAD_PREFIX			 391
+#define SSL_R_PEM_NAME_TOO_SHORT			 392
 #define SSL_R_PRE_MAC_LENGTH_TOO_LONG			 205
 #define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS		 206
 #define SSL_R_PROTOCOL_IS_SHUTDOWN			 207
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index d295f43b47..9889a27e1b 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -313,6 +313,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
 {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
 {ERR_REASON(SSL_R_BAD_CHECKSUM)          ,"bad checksum"},
+{ERR_REASON(SSL_R_BAD_DATA)              ,"bad data"},
 {ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
 {ERR_REASON(SSL_R_BAD_DECOMPRESSION)     ,"bad decompression"},
 {ERR_REASON(SSL_R_BAD_DH_G_LENGTH)       ,"bad dh g length"},
@@ -461,6 +462,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
 {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"},
 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
+{ERR_REASON(SSL_R_NO_PEM_EXTENSIONS)     ,"no pem extensions"},
 {ERR_REASON(SSL_R_NO_PRIVATEKEY)         ,"no privatekey"},
 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
@@ -488,6 +490,8 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
 {ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER)  ,"peer error no cipher"},
 {ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
+{ERR_REASON(SSL_R_PEM_NAME_BAD_PREFIX)   ,"pem name bad prefix"},
+{ERR_REASON(SSL_R_PEM_NAME_TOO_SHORT)    ,"pem name too short"},
 {ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
 {ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
 {ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN)  ,"protocol is shutdown"},
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 36d7a1a819..953295518d 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -1012,7 +1012,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
 			/* There must be at least one extension in this file */
 			if (num_extensions == 0)
 				{
-				SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+				SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_NO_PEM_EXTENSIONS);
 				goto end;
 				}
 			else /* End of file, we're done */
@@ -1021,18 +1021,18 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
 		/* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
 		if (strlen(name) < strlen(namePrefix))
 			{
-			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);
 			goto end;
 			}
 		if (strncmp(name, namePrefix, strlen(namePrefix)) != 0)
 			{
-			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_BAD_PREFIX);
 			goto end;
 			}
 		/* Check that the decoded PEM data is plausible (valid length field) */
 		if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)
 			{
-			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
 			goto end;
 			}
 		/* Append the decoded extension to the serverinfo buffer */
-- 
2.25.1