From: William Lallemand <wlallemand@haproxy.org>
Date: Tue, 15 Nov 2022 16:12:03 +0000 (+0100)
Subject: MINOR: ssl: reintroduce ERR_GET_LIB(ret) == ERR_LIB_PEM in ssl_sock_load_pem_into_ckch()
X-Git-Tag: v2.7-dev9~62
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78c7a06e4fc1214b40845e6a61073e558fd6a02b;p=thirdparty%2Fhaproxy.git

MINOR: ssl: reintroduce ERR_GET_LIB(ret) == ERR_LIB_PEM in ssl_sock_load_pem_into_ckch()

Commit 432cd1a ("MEDIUM: ssl: be stricter about chain error") removed
the ERR_GET_LIB(ret) != ERR_LIB_PEM to be stricter about errors.

However, PEM_R_NO_START_LINE is better be checked with ERR_LIB_PEM.
So this patch complete the previous one.

The original problem was that the condition was wrongly inversed. This
original code from openssl:

  if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
      ERR_GET_REASON(err) == PEM_R_NO_START_LINE)

became:

  if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM &&
              ERR_GET_REASON(ret) != PEM_R_NO_START_LINE))

instead of:

  if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM &&
               ERR_GET_REASON(ret) == PEM_R_NO_START_LINE))

This must not be backported as it will break a lot of setup. That's too
bad because a lot of errors are lost. Not marked as a bug because of the
breakage it could cause on working setups.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 40d3cf347a..f947961b0d 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -633,7 +633,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
 	}
 
 	ret = ERR_get_error();
-	if (ret && (ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
+	if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) {
 		memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
 		          err && *err ? *err : "", path, ERR_reason_error_string(ret));
 		goto end;