MINOR: ssl: reintroduce ERR_GET_LIB(ret) == ERR_LIB_PEM in ssl_sock_load_pem_into_ckch()

Commit 432cd1a ("MEDIUM: ssl: be stricter about chain error") removed
the ERR_GET_LIB(ret) != ERR_LIB_PEM to be stricter about errors.

However, PEM_R_NO_START_LINE is better be checked with ERR_LIB_PEM.
So this patch complete the previous one.

The original problem was that the condition was wrongly inversed. This
original code from openssl:

  if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
      ERR_GET_REASON(err) == PEM_R_NO_START_LINE)

became:

  if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM &&
              ERR_GET_REASON(ret) != PEM_R_NO_START_LINE))

instead of:

  if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM &&
               ERR_GET_REASON(ret) == PEM_R_NO_START_LINE))

This must not be backported as it will break a lot of setup. That's too
bad because a lot of errors are lost. Not marked as a bug because of the
breakage it could cause on working setups.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 40d3cf347aae1e442aa20009ed57a03ac7c62c89..f947961b0d701a86c82544612cb4bc1851643798 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -633,7 +633,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
        }
 
        ret = ERR_get_error();
-       if (ret && (ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
+       if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) {
                memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
                          err && *err ? *err : "", path, ERR_reason_error_string(ret));
                goto end;