RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-18 01:14:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl: error when no certificate are found

Browse Source 
When a non-existing file was specified in the configuration, haproxy
does not exits with an error which is not normal.

This bug was introduced by dfa93be ("MEDIUM: ssl: emulate multi-cert
bundles loading in standard loading") which does nothing if the stat
failed.

This patch introduce a "found" variable which is checked at the end of
the function so we exit with an error if no find were found.

Must be backported to 2.3.
This commit is contained in:
William Lallemand 2020-11-20 15:36:13 +01:00 committed by William Lallemand
parent 86c2dd60f1
commit 06ce84a100
1 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/ssl_sock.c
View File

@ -3500,24 +3500,24 @@ error:
int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
{
struct stat buf;
char fp[MAXPATHLEN+1];
int cfgerr = 0;
struct ckch_store *ckchs;
struct ckch_inst *ckch_inst = NULL;
int found = 0; /* did we found a file to load ? */
if ((ckchs = ckchs_lookup(path))) {
/* we found the ckchs in the tree, we can use it directly */
return ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
}
if (stat(path, &buf) == 0) {
cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
found++;
} else if (stat(path, &buf) == 0) {
found++;
if (S_ISDIR(buf.st_mode) == 0) {
ckchs = ckchs_load_cert_file(path, err);
if (!ckchs)
return ERR_ALERT | ERR_FATAL;
return ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
cfgerr |= ERR_ALERT | ERR_FATAL;
cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
} else {
return ssl_sock_load_cert_list_file(path, 1, bind_conf, bind_conf->frontend, err);
cfgerr |= ssl_sock_load_cert_list_file(path, 1, bind_conf, bind_conf->frontend, err);
}
} else {
/* stat failed, could be a bundle */
@ -3536,21 +3536,25 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
if ((ckchs = ckchs_lookup(fp))) {
cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
found++;
} else {
if (stat(fp, &buf) == 0) {
found++;
ckchs = ckchs_load_cert_file(fp, err);
if (!ckchs)
return ERR_ALERT | ERR_FATAL;
cfgerr |= ERR_ALERT | ERR_FATAL;
cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
}
}
}
} else {
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
err && *err ? *err : "", fp, strerror(errno));
cfgerr |= ERR_ALERT | ERR_FATAL;
}
}
if (!found) {
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
err && *err ? *err : "", path, strerror(errno));
cfgerr |= ERR_ALERT | ERR_FATAL;
}
return cfgerr;
}