MEDIUM: ssl: be stricter about chain error

The error check on certificate chain was ignoring all decoding error,
silently ignoring some errors.

This patch fixes the issue by being stricter on errors when reading the
chain, this is a change of behavior, it could break existing setup that
has a wrong chain.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 61ffbc08f361ba35aa2301dabb6f8e7b1beb3d14..1df6b967fc425bc26267f655269ecde5001542cc 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -626,14 +626,16 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
        while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
                if (chain == NULL)
                        chain = sk_X509_new_null();
+               if (ca == NULL)
+                       break;
                if (!sk_X509_push(chain, ca)) {
                        X509_free(ca);
-                       goto end;
+                       break;
                }
        }
 
        ret = ERR_get_error();
-       if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
+       if (ret && (ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
                memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
                          err && *err ? *err : "", path, ERR_reason_error_string(ret));
                goto end;