BUG/MINOR: ssl: Do not look for key in extra files if already in pem

A bug was introduced by commit 9bf3a1f67e
"BUG/MINOR: ssl: Fix crash when no private key is found in pem".
If a private key is already contained in a pem file, we will still look
for a .key file and load its private key if it exists when we should
not.

This patch should be backported to all branches where the original fix
was backported (all the way to 2.2).
This commit is contained in:
Remi Tricot-Le Breton 2022-06-07 16:29:44 +02:00 committed by William Lallemand
parent d543ae0e68
commit 1bad7db4a1
1 changed files with 29 additions and 27 deletions

View File

@ -356,37 +356,39 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
} }
/* If no private key was found yet and we cannot look for it in extra if (ckch->key == NULL) {
* files, raise an error. /* If no private key was found yet and we cannot look for it in extra
*/ * files, raise an error.
if ((ckch->key == NULL) && !(global_ssl.extra_files & SSL_GF_KEY)) { */
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area); if (!(global_ssl.extra_files & SSL_GF_KEY)) {
goto end; memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
}
/* try to load an external private key if it wasn't in the PEM */
if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
memprintf(err, "%s '%s' filename too long'.\n",
err && *err ? *err : "", fp->area);
ret = 1;
goto end;
}
if (stat(fp->area, &st) == 0) {
if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
err && *err ? *err : "", fp->area);
goto end; goto end;
} }
}
if (ckch->key == NULL) { /* try to load an external private key if it wasn't in the PEM */
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area); if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
goto end; memprintf(err, "%s '%s' filename too long'.\n",
err && *err ? *err : "", fp->area);
ret = 1;
goto end;
}
if (stat(fp->area, &st) == 0) {
if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
err && *err ? *err : "", fp->area);
goto end;
}
}
if (ckch->key == NULL) {
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
goto end;
}
/* remove the added extension */
*(fp->area + fp->data - strlen(".key")) = '\0';
b_sub(fp, strlen(".key"));
} }
/* remove the added extension */
*(fp->area + fp->data - strlen(".key")) = '\0';
b_sub(fp, strlen(".key"));
if (!X509_check_private_key(ckch->cert, ckch->key)) { if (!X509_check_private_key(ckch->cert, ckch->key)) {