BUG/MINOR: ssl: Fix crash when no private key is found in pem
If no private key can be found in a bind line's certificate and ssl-load-extra-files is set to none we end up trying to call X509_check_private_key with a NULL key, which crashes. This fix should be backported to all stable branches.
This commit is contained in:
Remi Tricot-Le Breton
William Lallemand
parent
7198c700bc
commit
9bf3a1f67e
|
|
@ -339,6 +339,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
|||
{
|
||||
struct buffer *fp = NULL;
|
||||
int ret = 1;
|
||||
struct stat st;
|
||||
|
||||
/* try to load the PEM */
|
||||
if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
|
||||
|
|
@ -373,35 +374,39 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
|||
|
||||
}
|
||||
|
||||
/* try to load an external private key if it wasn't in the PEM */
|
||||
if ((ckch->key == NULL) && (global_ssl.extra_files & SSL_GF_KEY)) {
|
||||
struct stat st;
|
||||
|
||||
|
||||
if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
|
||||
memprintf(err, "%s '%s' filename too long'.\n",
|
||||
err && *err ? *err : "", fp->area);
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (stat(fp->area, &st) == 0) {
|
||||
if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
|
||||
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
|
||||
err && *err ? *err : "", fp->area);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (ckch->key == NULL) {
|
||||
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
|
||||
goto end;
|
||||
}
|
||||
/* remove the added extension */
|
||||
*(fp->area + fp->data - strlen(".key")) = '\0';
|
||||
b_sub(fp, strlen(".key"));
|
||||
/* If no private key was found yet and we cannot look for it in extra
|
||||
* files, raise an error.
|
||||
*/
|
||||
if ((ckch->key == NULL) && !(global_ssl.extra_files & SSL_GF_KEY)) {
|
||||
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* try to load an external private key if it wasn't in the PEM */
|
||||
if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
|
||||
memprintf(err, "%s '%s' filename too long'.\n",
|
||||
err && *err ? *err : "", fp->area);
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (stat(fp->area, &st) == 0) {
|
||||
if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
|
||||
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
|
||||
err && *err ? *err : "", fp->area);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (ckch->key == NULL) {
|
||||
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
|
||||
goto end;
|
||||
}
|
||||
/* remove the added extension */
|
||||
*(fp->area + fp->data - strlen(".key")) = '\0';
|
||||
b_sub(fp, strlen(".key"));
|
||||
|
||||
|
||||
if (!X509_check_private_key(ckch->cert, ckch->key)) {
|
||||
memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
|
|
|
|||
Loading…
Reference in New Issue