BUG/MEDIUM: ssl: error when no certificate are found
authorWilliam Lallemand <wlallemand@haproxy.com>
Fri, 20 Nov 2020 14:36:13 +0000 (15:36 +0100)
committerChristopher Faulet <cfaulet@haproxy.com>
Tue, 24 Nov 2020 13:39:37 +0000 (14:39 +0100)
When a non-existing file was specified in the configuration, haproxy
does not exits with an error which is not normal.

This bug was introduced by dfa93be ("MEDIUM: ssl: emulate multi-cert
bundles loading in standard loading") which does nothing if the stat
failed.

This patch introduce a "found" variable which is checked at the end of
the function so we exit with an error if no find were found.

Must be backported to 2.3.

(cherry picked from commit 06ce84a10079388e95e5959dbcb50fcc563c702b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

src/ssl_sock.c

index 7084c85..0490b2a 100644 (file)
@@ -3454,24 +3454,24 @@ error:
 int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
 {
        struct stat buf;
-       char fp[MAXPATHLEN+1];
        int cfgerr = 0;
        struct ckch_store *ckchs;
        struct ckch_inst *ckch_inst = NULL;
+       int found = 0; /* did we found a file to load ? */
 
        if ((ckchs = ckchs_lookup(path))) {
                /* we found the ckchs in the tree, we can use it directly */
-               return ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
-       }
-       if (stat(path, &buf) == 0) {
+                cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+                found++;
+       } else if (stat(path, &buf) == 0) {
+               found++;
                if (S_ISDIR(buf.st_mode) == 0) {
                        ckchs =  ckchs_load_cert_file(path, err);
                        if (!ckchs)
-                               return ERR_ALERT | ERR_FATAL;
-
-                       return ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+                               cfgerr |= ERR_ALERT | ERR_FATAL;
+                       cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
                } else {
-                       return ssl_sock_load_cert_list_file(path, 1, bind_conf, bind_conf->frontend, err);
+                       cfgerr |= ssl_sock_load_cert_list_file(path, 1, bind_conf, bind_conf->frontend, err);
                }
        } else {
                /* stat failed, could be a bundle */
@@ -3490,21 +3490,25 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
 
                                if ((ckchs = ckchs_lookup(fp))) {
                                        cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+                                       found++;
                                } else {
                                        if (stat(fp, &buf) == 0) {
+                                               found++;
                                                ckchs =  ckchs_load_cert_file(fp, err);
                                                if (!ckchs)
-                                                       return ERR_ALERT | ERR_FATAL;
+                                                       cfgerr |= ERR_ALERT | ERR_FATAL;
                                                cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
                                        }
                                }
                        }
-               } else {
-                       memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
-                                 err && *err ? *err : "", fp, strerror(errno));
-                       cfgerr |= ERR_ALERT | ERR_FATAL;
+
                }
        }
+       if (!found) {
+               memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
+                         err && *err ? *err : "", path, strerror(errno));
+               cfgerr |= ERR_ALERT | ERR_FATAL;
+       }
 
        return cfgerr;
 }