mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-10 05:21:00 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Do not dump decrypted privkeys in 'dump ssl cert'

Browse Source 
A private keys that is password protected and was decoded during init
thanks to the password obtained thanks to 'ssl-passphrase-cmd' should
not be dumped via 'dump ssl cert' CLI command.
This commit is contained in:
Remi Tricot-Le Breton 2025-10-28 18:00:47 +01:00 committed by William Lallemand
parent 5a036d223b
commit dc35a3487b
4 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/ssl_ckch-t.h
View File

@ -56,6 +56,7 @@ struct ckch_data {
X509 *ocsp_issuer; X509 *ocsp_issuer;
OCSP_CERTID *ocsp_cid; OCSP_CERTID *ocsp_cid;
struct issuer_chain *extra_chain; /* chain from 'issuers-chain-path' */ struct issuer_chain *extra_chain; /* chain from 'issuers-chain-path' */
int encrypted_privkey; /* 1 if 'key' is encrypted, 0 otherwise */
}; };
/* configuration for the ckch_store */ /* configuration for the ckch_store */

1
include/haproxy/ssl_sock-t.h
View File

@ -359,6 +359,7 @@ struct ssl_counters {
struct passphrase_cb_data { struct passphrase_cb_data {
const char *path; const char *path;
struct ckch_data *ckch_data;
int passphrase_idx; int passphrase_idx;
}; };

11
src/ssl_ckch.c
View File

@ -593,7 +593,7 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *d
BIO *in = NULL; BIO *in = NULL;
int ret = 1; int ret = 1;
EVP_PKEY *key = NULL; EVP_PKEY *key = NULL;
struct passphrase_cb_data cb_data = { path, 0 }; struct passphrase_cb_data cb_data = { path, data, 0 };
if (buf) { if (buf) {
/* reading from a buffer */ /* reading from a buffer */
@ -613,6 +613,9 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *d
goto end; goto end;
} }
/* We don't know yet if the private key requires a password. */
data->encrypted_privkey = 0;
/* Read Private Key /* Read Private Key
* Since multiple private keys might have different passphrases that are * Since multiple private keys might have different passphrases that are
* stored in a local cache, we want to try all the already known * stored in a local cache, we want to try all the already known
@ -2448,6 +2451,12 @@ static int cli_parse_dump_cert(char **args, char *payload, struct appctx *appctx
} }
/* Do not dump encrypted private keys */
if (ckchs->data->encrypted_privkey) {
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
return cli_err(appctx, "Can't display the contents of an encrypted certificate!\n");
}
ctx->ckchs = ckchs; ctx->ckchs = ckchs;
ctx->index = -2; /* -2 for pkey, -1 for cert, >= 0 for chain */ ctx->index = -2; /* -2 for pkey, -1 for cert, >= 0 for chain */

6
src/ssl_sock.c
View File

@ -3788,12 +3788,18 @@ int ssl_sock_passwd_cb(char *buf, int size, int rwflag, void *userdata)
int wstatus = 0; int wstatus = 0;
int fd[2]; int fd[2];
char *bufstart = buf; char *bufstart = buf;
struct ckch_data *ckch_data = NULL;
struct passphrase_cb_data *data = userdata; struct passphrase_cb_data *data = userdata;
if (!data || data->passphrase_idx == -1) if (!data || data->passphrase_idx == -1)
return -1; return -1;
ckch_data = data->ckch_data;
if (ckch_data)
ckch_data->encrypted_privkey = 1;
if (!global_ssl.passphrase_cmd) { if (!global_ssl.passphrase_cmd) {
data->passphrase_idx = -1; data->passphrase_idx = -1;
ha_alert("Trying to load a passphrase-protected private key without an 'ssl-passphrase-cmd' defined."); ha_alert("Trying to load a passphrase-protected private key without an 'ssl-passphrase-cmd' defined.");