From: William Lallemand <wlallemand@haproxy.org>
Date: Tue, 25 Oct 2022 13:55:13 +0000 (+0200)
Subject: MEDIUM: ssl: be stricter about chain error
X-Git-Tag: v2.7-dev9~132
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=432cd1a;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: be stricter about chain error

The error check on certificate chain was ignoring all decoding error,
silently ignoring some errors.

This patch fixes the issue by being stricter on errors when reading the
chain, this is a change of behavior, it could break existing setup that
has a wrong chain.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 61ffbc08f3..1df6b967fc 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -626,14 +626,16 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
 	while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
 		if (chain == NULL)
 			chain = sk_X509_new_null();
+		if (ca == NULL)
+			break;
 		if (!sk_X509_push(chain, ca)) {
 			X509_free(ca);
-			goto end;
+			break;
 		}
 	}
 
 	ret = ERR_get_error();
-	if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
+	if (ret && (ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
 		memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
 		          err && *err ? *err : "", path, ERR_reason_error_string(ret));
 		goto end;