mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-25 07:41:36 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: Fix crash when no private key is found in pem

Browse Source 
If no private key can be found in a bind line's certificate and
ssl-load-extra-files is set to none we end up trying to call
X509_check_private_key with a NULL key, which crashes.

This fix should be backported to all stable branches.
This commit is contained in:
Remi Tricot-Le Breton 2022-05-09 11:07:13 +02:00 committed by William Lallemand
parent 7198c700bc
commit 9bf3a1f67e
1 changed files with 32 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/ssl_ckch.c
View File

@ -339,6 +339,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
{ {
struct buffer *fp = NULL; struct buffer *fp = NULL;
int ret = 1; int ret = 1;
struct stat st;
/* try to load the PEM */ /* try to load the PEM */
if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) { if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
@ -373,11 +374,15 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
} }
/* If no private key was found yet and we cannot look for it in extra
* files, raise an error.
*/
if ((ckch->key == NULL) && !(global_ssl.extra_files & SSL_GF_KEY)) {
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
goto end;
}
/* try to load an external private key if it wasn't in the PEM */ /* try to load an external private key if it wasn't in the PEM */
if ((ckch->key == NULL) && (global_ssl.extra_files & SSL_GF_KEY)) {
struct stat st;
if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) { if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
memprintf(err, "%s '%s' filename too long'.\n", memprintf(err, "%s '%s' filename too long'.\n",
err && *err ? *err : "", fp->area); err && *err ? *err : "", fp->area);
@ -400,7 +405,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
/* remove the added extension */ /* remove the added extension */
*(fp->area + fp->data - strlen(".key")) = '\0'; *(fp->area + fp->data - strlen(".key")) = '\0';
b_sub(fp, strlen(".key")); b_sub(fp, strlen(".key"));
}
if (!X509_check_private_key(ckch->cert, ckch->key)) { if (!X509_check_private_key(ckch->cert, ckch->key)) {
memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n", memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",