commit 7efbaf127f87419daf94d30847e400f2b6c92eaf
author William Lallemand <wlallemand@haproxy.com> Fri Nov 20 15:36:13 2020 +0100
committer Christopher Faulet <cfaulet@haproxy.com> Tue Nov 24 14:39:37 2020 +0100
tree 71683683b810a74b1f07298e466f28738ae35dad
parent d33241508bfa744c58055c30c8792f40a0557979

BUG/MEDIUM: ssl: error when no certificate are found

When a non-existing file was specified in the configuration, haproxy
does not exits with an error which is not normal.

This bug was introduced by dfa93be ("MEDIUM: ssl: emulate multi-cert
bundles loading in standard loading") which does nothing if the stat
failed.

This patch introduce a "found" variable which is checked at the end of
the function so we exit with an error if no find were found.

Must be backported to 2.3.

(cherry picked from commit 06ce84a10079388e95e5959dbcb50fcc563c702b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7084c85..0490b2a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3454,24 +3454,24 @@
 int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
 {
 	struct stat buf;
-	char fp[MAXPATHLEN+1];
 	int cfgerr = 0;
 	struct ckch_store *ckchs;
 	struct ckch_inst *ckch_inst = NULL;
+	int found = 0; /* did we found a file to load ? */
 
 	if ((ckchs = ckchs_lookup(path))) {
 		/* we found the ckchs in the tree, we can use it directly */
-		return ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
-	}
-	if (stat(path, &buf) == 0) {
+		 cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+		 found++;
+	} else if (stat(path, &buf) == 0) {
+		found++;
 		if (S_ISDIR(buf.st_mode) == 0) {
 			ckchs =  ckchs_load_cert_file(path, err);
 			if (!ckchs)
-				return ERR_ALERT | ERR_FATAL;
-
-			return ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+				cfgerr |= ERR_ALERT | ERR_FATAL;
+			cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
 		} else {
-			return ssl_sock_load_cert_list_file(path, 1, bind_conf, bind_conf->frontend, err);
+			cfgerr |= ssl_sock_load_cert_list_file(path, 1, bind_conf, bind_conf->frontend, err);
 		}
 	} else {
 		/* stat failed, could be a bundle */
@@ -3490,21 +3490,25 @@
 
 				if ((ckchs = ckchs_lookup(fp))) {
 					cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+					found++;
 				} else {
 					if (stat(fp, &buf) == 0) {
+						found++;
 						ckchs =  ckchs_load_cert_file(fp, err);
 						if (!ckchs)
-							return ERR_ALERT | ERR_FATAL;
+							cfgerr |= ERR_ALERT | ERR_FATAL;
 						cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
 					}
 				}
 			}
-		} else {
-			memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
-			          err && *err ? *err : "", fp, strerror(errno));
-			cfgerr |= ERR_ALERT | ERR_FATAL;
+
 		}
 	}
+	if (!found) {
+		memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
+		          err && *err ? *err : "", path, strerror(errno));
+		cfgerr |= ERR_ALERT | ERR_FATAL;
+	}
 
 	return cfgerr;
 }