mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-25 07:41:36 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: Fix crash when no private key is found in pem

Browse Source 
If no private key can be found in a bind line's certificate and
ssl-load-extra-files is set to none we end up trying to call
X509_check_private_key with a NULL key, which crashes.

This fix should be backported to all stable branches.
This commit is contained in:
Remi Tricot-Le Breton 2022-05-09 11:07:13 +02:00 committed by William Lallemand
parent 7198c700bc
commit 9bf3a1f67e
1 changed files with 32 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
src/ssl_ckch.c
View File

@ -339,6 +339,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
{ {
struct buffer *fp = NULL; struct buffer *fp = NULL;
int ret = 1; int ret = 1;
struct stat st;
/* try to load the PEM */ /* try to load the PEM */
if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) { if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
@ -373,35 +374,39 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
} }
/* try to load an external private key if it wasn't in the PEM */ /* If no private key was found yet and we cannot look for it in extra
if ((ckch->key == NULL) && (global_ssl.extra_files & SSL_GF_KEY)) { * files, raise an error.
struct stat st; */
if ((ckch->key == NULL) && !(global_ssl.extra_files & SSL_GF_KEY)) {
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) { goto end;
memprintf(err, "%s '%s' filename too long'.\n",
err && *err ? *err : "", fp->area);
ret = 1;
goto end;
}
if (stat(fp->area, &st) == 0) {
if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
err && *err ? *err : "", fp->area);
goto end;
}
}
if (ckch->key == NULL) {
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
goto end;
}
/* remove the added extension */
*(fp->area + fp->data - strlen(".key")) = '\0';
b_sub(fp, strlen(".key"));
} }
/* try to load an external private key if it wasn't in the PEM */
if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
memprintf(err, "%s '%s' filename too long'.\n",
err && *err ? *err : "", fp->area);
ret = 1;
goto end;
}
if (stat(fp->area, &st) == 0) {
if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
err && *err ? *err : "", fp->area);
goto end;
}
}
if (ckch->key == NULL) {
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
goto end;
}
/* remove the added extension */
*(fp->area + fp->data - strlen(".key")) = '\0';
b_sub(fp, strlen(".key"));
if (!X509_check_private_key(ckch->cert, ckch->key)) { if (!X509_check_private_key(ckch->cert, ckch->key)) {
memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n", memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);