BUG/MEDIUM: ssl: Store certificate filename in a variable

Before this change, trash is being used to create certificate filename
to read in care Mutli-Cert are in used. But then ssl_sock_load_ocsp()
modify trash leading to potential wrong information given in later error
message.

This also blocks any further use of certificate filename for other
usage, like ongoing patch to support Certificate Transparency handling
in Multi-Cert bundle.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b14bb8a46e1b7489ddece5936519de4d480914f1..ded1c240c11e1602fbab1516da58aa914408eb4a 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2137,6 +2137,7 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
        node = ebmb_first(&sni_keytypes_map);
        while (node) {
                SSL_CTX *cur_ctx;
+               char cur_file[MAXPATHLEN+1];
 
                str = (char *)container_of(node, struct sni_keytype, name)->name.key;
                i = container_of(node, struct sni_keytype, name)->keytypes;
@@ -2156,8 +2157,8 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
                        for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
                                if (i & (1<<n)) {
                                        /* Key combo contains ckch[n] */
-                                       snprintf(trash.str, trash.size, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
-                                       if (ssl_sock_put_ckch_into_ctx(trash.str, &certs_and_keys[n], cur_ctx, err) != 0) {
+                                       snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
+                                       if (ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err) != 0) {
                                                SSL_CTX_free(cur_ctx);
                                                rv = 1;
                                                goto end;
@@ -2165,7 +2166,7 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
 
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
                                        /* Load OCSP Info into context */
-                                       if (ssl_sock_load_ocsp(cur_ctx, trash.str) < 0) {
+                                       if (ssl_sock_load_ocsp(cur_ctx, cur_file) < 0) {
                                                if (err)
                                                        memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
                                                                  *err ? *err : "", path);