From: William Lallemand Date: Wed, 16 Apr 2025 12:05:04 +0000 (+0200) Subject: BUG/MINOR: acme: key not restored upon error in acme_res_certificate() V2 X-Git-Tag: v3.2-dev11~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7814a8b446c38cf1c2155a224c340d895faf84fa;p=thirdparty%2Fhaproxy.git BUG/MINOR: acme: key not restored upon error in acme_res_certificate() V2 When receiving the final certificate, it need to be loaded by ssl_sock_load_pem_into_ckch(). However this function will remove any existing private key in the struct ckch_store. In order to fix the issue, the ptr to the key is swapped with a NULL ptr, and restored once the new certificate is commited. However there is a discrepancy when there is an error in ssl_sock_load_pem_into_ckch() fails and the pointer is lost. This patch fixes the issue by restoring the pointer in the error path. This must fix issue #2933. --- diff --git a/src/acme.c b/src/acme.c index 2e427ebe5..895a3ebd0 100644 --- a/src/acme.c +++ b/src/acme.c @@ -638,7 +638,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg) struct http_hdr *hdrs, *hdr; struct buffer *t1 = NULL, *t2 = NULL; int ret = 1; - EVP_PKEY *key; + EVP_PKEY *key = NULL; hc = ctx->hc; if (!hc) @@ -681,6 +681,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg) /* restore the key */ ctx->store->data->key = key; + key = NULL; if (acme_update_certificate(task, ctx, errmsg) != 0) goto error; @@ -689,6 +690,8 @@ out: ret = 0; error: + if (key) + ctx->store->data->key = key; free_trash_chunk(t1); free_trash_chunk(t2); httpclient_destroy(hc);