BUG/MEDIUM: ssl: Store certificate filename in a variable
Before this change, trash is being used to create certificate filename
to read in care Mutli-Cert are in used. But then ssl_sock_load_ocsp()
modify trash leading to potential wrong information given in later error
message.
This also blocks any further use of certificate filename for other
usage, like ongoing patch to support Certificate Transparency handling
in Multi-Cert bundle.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b14bb8a..ded1c24 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2137,6 +2137,7 @@
node = ebmb_first(&sni_keytypes_map);
while (node) {
SSL_CTX *cur_ctx;
+ char cur_file[MAXPATHLEN+1];
str = (char *)container_of(node, struct sni_keytype, name)->name.key;
i = container_of(node, struct sni_keytype, name)->keytypes;
@@ -2156,8 +2157,8 @@
for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
if (i & (1<<n)) {
/* Key combo contains ckch[n] */
- snprintf(trash.str, trash.size, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
- if (ssl_sock_put_ckch_into_ctx(trash.str, &certs_and_keys[n], cur_ctx, err) != 0) {
+ snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
+ if (ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err) != 0) {
SSL_CTX_free(cur_ctx);
rv = 1;
goto end;
@@ -2165,7 +2166,7 @@
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
/* Load OCSP Info into context */
- if (ssl_sock_load_ocsp(cur_ctx, trash.str) < 0) {
+ if (ssl_sock_load_ocsp(cur_ctx, cur_file) < 0) {
if (err)
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
*err ? *err : "", path);