RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-12 16:37:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: reintroduce ERR_GET_LIB(ret) == ERR_LIB_PEM in ssl_sock_load_pem_into_ckch()

Browse Source 
Commit 432cd1a ("MEDIUM: ssl: be stricter about chain error") removed
the ERR_GET_LIB(ret) != ERR_LIB_PEM to be stricter about errors.

However, PEM_R_NO_START_LINE is better be checked with ERR_LIB_PEM.
So this patch complete the previous one.

The original problem was that the condition was wrongly inversed. This
original code from openssl:

  if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
      ERR_GET_REASON(err) == PEM_R_NO_START_LINE)

became:

  if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM &&
              ERR_GET_REASON(ret) != PEM_R_NO_START_LINE))

instead of:

  if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM &&
               ERR_GET_REASON(ret) == PEM_R_NO_START_LINE))

This must not be backported as it will break a lot of setup. That's too
bad because a lot of errors are lost. Not marked as a bug because of the
breakage it could cause on working setups.
This commit is contained in:
William Lallemand 2022-11-15 17:12:03 +01:00
parent 45fed2c7a6
commit 78c7a06e4f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/ssl_ckch.c
View File

@ -633,7 +633,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
}
ret = ERR_get_error();
if (ret && (ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) {
memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
err && *err ? *err : "", path, ERR_reason_error_string(ret));
goto end;