mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 20:46:11 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: acme: key not restored upon error in acme_res_certificate() V2

Browse Source 
When receiving the final certificate, it need to be loaded by
ssl_sock_load_pem_into_ckch(). However this function will remove any
existing private key in the struct ckch_store.

In order to fix the issue, the ptr to the key is swapped with a NULL
ptr, and restored once the new certificate is commited.

However there is a discrepancy when there is an error in
ssl_sock_load_pem_into_ckch() fails and the pointer is lost.

This patch fixes the issue by restoring the pointer in the error path.

This must fix issue #2933.
This commit is contained in:
William Lallemand 2025-04-16 14:05:04 +02:00
parent e21a165af6
commit 7814a8b446
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/acme.c
View File

@ -638,7 +638,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg)
struct http_hdr *hdrs, *hdr;
struct buffer *t1 = NULL, *t2 = NULL;
int ret = 1;
EVP_PKEY *key;
EVP_PKEY *key = NULL;
hc = ctx->hc;
if (!hc)
@ -681,6 +681,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg)
/* restore the key */
ctx->store->data->key = key;
key = NULL;
if (acme_update_certificate(task, ctx, errmsg) != 0)
goto error;
@ -689,6 +690,8 @@ out:
ret = 0;
error:
if (key)
ctx->store->data->key = key;
free_trash_chunk(t1);
free_trash_chunk(t2);
httpclient_destroy(hc);