From: Emmanuel Hocdet <manu@gandi.net>
Date: Tue, 30 Jul 2019 12:21:25 +0000 (+0200)
Subject: MINOR: ssl: check private key consistency in loading
X-Git-Tag: v2.1-dev2~260
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=03e09f3818e571c186b16303c5a9747d16670fc4;p=thirdparty%2Fhaproxy.git

MINOR: ssl: check private key consistency in loading

Load a PEM certificate and use it in CTX are now decorrelated.
Checking the certificate and private key consistency can be done
earlier: in loading phase instead CTX set phase.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cd05421cc5..08ab3c304c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2992,6 +2992,12 @@ static int ssl_sock_load_crt_file_into_ckch(const char *path, struct cert_key_an
 		goto end;
 	}
 
+	if (!X509_check_private_key(ckch->cert, ckch->key)) {
+		memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
+			  err && *err ? *err : "", path);
+		goto end;
+	}
+
 	/* Read Certificate Chain */
 	ckch->chain = sk_X509_new_null();
 	while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)))
@@ -3064,12 +3070,6 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 #endif
 
-	if (SSL_CTX_check_private_key(ctx) <= 0) {
-		memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
-				err && *err ? *err : "", path);
-		return 1;
-	}
-
 #ifndef OPENSSL_NO_DH
 	/* store a NULL pointer to indicate we have not yet loaded
 	   a custom DH param file */