BUG/MINOR: ssl: Do not look for key in extra files if already in pem

A bug was introduced by commit 9bf3a1f67eb3bc6f02abcabf8ab141840c7a1db2
"BUG/MINOR: ssl: Fix crash when no private key is found in pem".
If a private key is already contained in a pem file, we will still look
for a .key file and load its private key if it exists when we should
not.

This patch should be backported to all branches where the original fix
was backported (all the way to 2.2).

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index da982405a8233d68715422aa9d1a7777edd0709b..0f430a469d4b1aca81dd23ef73a30ef148cc8016 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -356,37 +356,39 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 
        }
 
-       /* If no private key was found yet and we cannot look for it in extra
-        * files, raise an error.
-        */
-       if ((ckch->key == NULL) && !(global_ssl.extra_files & SSL_GF_KEY)) {
-               memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
-               goto end;
-       }
-
-       /* try to load an external private key if it wasn't in the PEM */
-       if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
-               memprintf(err, "%s '%s' filename too long'.\n",
-                         err && *err ? *err : "", fp->area);
-               ret = 1;
-               goto end;
-       }
+       if (ckch->key == NULL) {
+               /* If no private key was found yet and we cannot look for it in extra
+                * files, raise an error.
+                */
+               if (!(global_ssl.extra_files & SSL_GF_KEY)) {
+                       memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
+                       goto end;
+               }
 
-       if (stat(fp->area, &st) == 0) {
-               if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
-                       memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
+               /* try to load an external private key if it wasn't in the PEM */
+               if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
+                       memprintf(err, "%s '%s' filename too long'.\n",
                                  err && *err ? *err : "", fp->area);
+                       ret = 1;
                        goto end;
                }
-       }
 
-       if (ckch->key == NULL) {
-               memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
-               goto end;
+               if (stat(fp->area, &st) == 0) {
+                       if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
+                               memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
+                                         err && *err ? *err : "", fp->area);
+                               goto end;
+                       }
+               }
+
+               if (ckch->key == NULL) {
+                       memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
+                       goto end;
+               }
+               /* remove the added extension */
+               *(fp->area + fp->data - strlen(".key")) = '\0';
+               b_sub(fp, strlen(".key"));
        }
-       /* remove the added extension */
-       *(fp->area + fp->data - strlen(".key")) = '\0';
-       b_sub(fp, strlen(".key"));
 
 
        if (!X509_check_private_key(ckch->cert, ckch->key)) {