From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Wed, 21 Apr 2021 13:32:46 +0000 (+0200)
Subject: BUG/MINOR: ssl: ssl_sock_prepare_ssl_ctx does not return an error code
X-Git-Tag: v2.4-dev18~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43899ec83dea8e10c21e6a907eb76391c463cc2f;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: ssl_sock_prepare_ssl_ctx does not return an error code

The return value check was wrongly based on error codes when the
function actually returns an error number.
This bug was introduced by f3eedfe19592ebcbaa5b97d8c68aa162e7f6f8fa
which is a feature not present before branch 2.4.

It does not need to be backported.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 7504c55b87..c41c1789cf 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1259,6 +1259,7 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 	int y = 0;
 	char *err = NULL;
 	int errcode = 0;
+	int retval = 0;
 	struct ckch_store *old_ckchs, *new_ckchs = NULL;
 	struct ckch_inst *ckchi, *ckchis;
 	struct buffer *trash = alloc_trash_chunk();
@@ -1337,8 +1338,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 					new_inst->server = ckchi->server;
 					/* Create a new SSL_CTX and link it to the new instance. */
 					if (new_inst->is_server_instance) {
-						errcode |= ssl_sock_prepare_srv_ssl_ctx(ckchi->server, new_inst->ctx);
-						if (errcode & ERR_CODE)
+						retval = ssl_sock_prepare_srv_ssl_ctx(ckchi->server, new_inst->ctx);
+						if (retval)
 							goto error;
 					}