From 98f286d8cb6d2b0686aabbcb84b33fd1bdb488be Mon Sep 17 00:00:00 2001
From: elms <jeff@wolfssl.com>
Date: Thu, 9 Sep 2021 15:45:13 -0700
Subject: [PATCH] Consistent return value from
 SSL_CTX_load_verify_locations{,_ex} (#4341)

On any failure, return `WOLFSSL_FAILURE`

If there was a failure and a successful processing of certs from the
same directory, the return value depended on the last cert processed
which not guarenteed to be the same order. If the last cert load
failed, it would return the specific wolfSSL error code. If it
succeeded, then WOLFSSL_FAILURE would be returned as a generic failure
due to a previous cert error.
---
 doc/dox_comments/header_files/ssl.h | 3 ++-
 src/ssl.c                           | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h
index 62710ebc2..2fe79e735 100644
--- a/doc/dox_comments/header_files/ssl.h
+++ b/doc/dox_comments/header_files/ssl.h
@@ -977,7 +977,8 @@ WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*,
 
     \return SSL_SUCCESS up success.
     \return SSL_FAILURE will be returned if ctx is NULL, or if both file and
-    path are NULL.
+    path are NULL. This will also be returned if at least one cert is loaded
+    successfully but there is one or more that failed. Check error stack for reason.
     \return SSL_BAD_FILETYPE will be returned if the file is the wrong format.
     \return SSL_BAD_FILE will be returned if the file doesn’t exist, can’t be
     read, or is corrupted.
diff --git a/src/ssl.c b/src/ssl.c
index cc89e119b..26bfa28b7 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -7030,7 +7030,9 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
                        (ret == ASN_NO_PEM_HEADER))) {
                     /* Do not fail here if a certificate fails to load,
                        continue to next file */
+    #if defined(WOLFSSL_QT)
                     ret = WOLFSSL_SUCCESS;
+    #endif
                 }
                 else {
                     WOLFSSL_ERROR(ret);
@@ -7068,13 +7070,11 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
             /* use existing error code if exists */
     #if defined(WOLFSSL_QT)
             /* compliant with OpenSSL when flag sets*/
-            if (!(flags & WOLFSSL_LOAD_FLAG_IGNORE_ZEROFILE)) {
+            if (!(flags & WOLFSSL_LOAD_FLAG_IGNORE_ZEROFILE))
     #endif
-            if (ret == WOLFSSL_SUCCESS)
+            {
                 ret = WOLFSSL_FAILURE;
-    #if defined(WOLFSSL_QT)
             }
-    #endif
         }
         else {
             ret = WOLFSSL_SUCCESS;