From: William Lallemand <wlallemand@haproxy.org>
Date: Thu, 18 Aug 2022 13:53:02 +0000 (+0200)
Subject: BUG/MINOR: ssl/cli: error when the ca-file is empty
X-Git-Tag: v2.7-dev4~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec7eb59d206a2eb58b1d325483d196e8daaf9285;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl/cli: error when the ca-file is empty

"set ssl ca-file" does not return any error when a ca-file is empty or
only contains comments. This could be a problem is the file was
malformated and did not contain any PEM header.

It must be backported as far as 2.5.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 0992240e22..9827928c85 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1140,7 +1140,8 @@ int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf)
 						retval = !X509_STORE_add_crl(ca_e->ca_store, info->crl);
 					}
 				}
-				retval = retval || (i != sk_X509_INFO_num(infos));
+				/* return an error if we didn't compute all the X509_INFO or if there was none */
+				retval = retval ||  (i != sk_X509_INFO_num(infos)) || ( sk_X509_INFO_num(infos) == 0);
 
 				/* Cleanup */
 				sk_X509_INFO_pop_free(infos, X509_INFO_free);