commit 543af6004d0f8fab338e0b9ed361e08b6ed44901
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Tue Jun 07 16:29:44 2022 +0200
committer Christopher Faulet <cfaulet@haproxy.com> Thu Jul 21 17:13:55 2022 +0200
tree d146b69b5a2bb939f14615e508e39d938ff33bc6
parent 1d7138ee54e54ad3ba4e219c558027c256545e77

BUG/MINOR: ssl: Do not look for key in extra files if already in pem

A bug was introduced by commit 9bf3a1f67eb3bc6f02abcabf8ab141840c7a1db2
"BUG/MINOR: ssl: Fix crash when no private key is found in pem".
If a private key is already contained in a pem file, we will still look
for a .key file and load its private key if it exists when we should
not.

This patch should be backported to all branches where the original fix
was backported (all the way to 2.2).

(cherry picked from commit 1bad7db4a146e91cc2e9db72a92935ce9df5d24a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 63823fe526370a46a84920bbdcb27cf01d57eb95)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 5bb737fabcc9a264b51af14161b1564832cfb1a1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

src/ssl_ckch.c

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 7d118ca..1bba553 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -281,37 +281,39 @@
 
 	}
 
-	/* If no private key was found yet and we cannot look for it in extra
-	 * files, raise an error.
-	 */
-	if ((ckch->key == NULL) && !(global_ssl.extra_files & SSL_GF_KEY)) {
-		memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
-		goto end;
-	}
-
-	/* try to load an external private key if it wasn't in the PEM */
-	if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
-		memprintf(err, "%s '%s' filename too long'.\n",
-			  err && *err ? *err : "", fp->area);
-		ret = 1;
-		goto end;
-	}
+	if (ckch->key == NULL) {
+		/* If no private key was found yet and we cannot look for it in extra
+		 * files, raise an error.
+		 */
+		if (!(global_ssl.extra_files & SSL_GF_KEY)) {
+			memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
+			goto end;
+		}
 
-	if (stat(fp->area, &st) == 0) {
-		if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
-			memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
+		/* try to load an external private key if it wasn't in the PEM */
+		if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
+			memprintf(err, "%s '%s' filename too long'.\n",
 				  err && *err ? *err : "", fp->area);
+			ret = 1;
 			goto end;
 		}
-	}
 
-	if (ckch->key == NULL) {
-		memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
-		goto end;
+		if (stat(fp->area, &st) == 0) {
+			if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
+				memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
+					  err && *err ? *err : "", fp->area);
+				goto end;
+			}
+		}
+
+		if (ckch->key == NULL) {
+			memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
+			goto end;
+		}
+		/* remove the added extension */
+		*(fp->area + fp->data - strlen(".key")) = '\0';
+		b_sub(fp, strlen(".key"));
 	}
-	/* remove the added extension */
-	*(fp->area + fp->data - strlen(".key")) = '\0';
-	b_sub(fp, strlen(".key"));
 
 
 	if (!X509_check_private_key(ckch->cert, ckch->key)) {