Always apply all configuration settings from the ssl section

Even if some configuration entry is incorrect, do not
skip the remaining ones.

Fixes #20789

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23048)

diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index c2366e41e365db7cb4529e8395f41c8a78dd780a..d7ec22c0e890fe48e514dbef643695af7da0848f 100644 (file)
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -24,7 +24,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
 {
     SSL_CONF_CTX *cctx = NULL;
     size_t i, idx, cmd_count;
-    int rv = 0;
+    int err = 1;
     unsigned int flags;
     const SSL_METHOD *meth;
     const SSL_CONF_CMD *cmds;
@@ -66,8 +66,10 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
         flags |= SSL_CONF_FLAG_CLIENT;
     SSL_CONF_CTX_set_flags(cctx, flags);
     prev_libctx = OSSL_LIB_CTX_set0_default(libctx);
+    err = 0;
     for (i = 0; i < cmd_count; i++) {
         char *cmdstr, *arg;
+        int rv;
 
         conf_ssl_get_cmd(cmds, i, &cmdstr, &arg);
         rv = SSL_CONF_cmd(cctx, cmdstr, arg);
@@ -76,14 +78,15 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
 
             ERR_raise_data(ERR_LIB_SSL, errcode,
                            "section=%s, cmd=%s, arg=%s", name, cmdstr, arg);
-            goto err;
+            ++err;
         }
     }
-    rv = SSL_CONF_CTX_finish(cctx);
+    if (!SSL_CONF_CTX_finish(cctx))
+        ++err;
  err:
     OSSL_LIB_CTX_set0_default(prev_libctx);
     SSL_CONF_CTX_free(cctx);
-    return rv <= 0 ? 0 : 1;
+    return err == 0;
 }
 
 int SSL_config(SSL *s, const char *name)