MINOR: ssl: Do not dump decrypted privkeys in 'dump ssl cert'

A private keys that is password protected and was decoded during init
thanks to the password obtained thanks to 'ssl-passphrase-cmd' should
not be dumped via 'dump ssl cert' CLI command.

diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index c435d4218001acab447011a50d7ca3816e6e3004..2c75996ef4303ce5ba266dd1f09d51899f4fc233 100644 (file)
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -56,6 +56,7 @@ struct ckch_data {
        X509 *ocsp_issuer;
        OCSP_CERTID *ocsp_cid;
        struct issuer_chain *extra_chain; /* chain from 'issuers-chain-path' */
+       int encrypted_privkey;            /* 1 if 'key' is encrypted, 0 otherwise */
 };
 
 /* configuration for the ckch_store */

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index c076f7fb543d201aafb293a6b38d82f9993134ea..3d5a420a4039b2888bcfef92621d786a93e6faa7 100644 (file)
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -359,6 +359,7 @@ struct ssl_counters {
 
 struct passphrase_cb_data {
        const char *path;
+       struct ckch_data *ckch_data;
        int passphrase_idx;
 };
 

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 942537dd7f5aab978a491d86bffebf2b9049e321..e21f0797a00b794d0e8109f5d3e7ec9da3f20ad9 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -593,7 +593,7 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *d
        BIO *in = NULL;
        int ret = 1;
        EVP_PKEY *key = NULL;
-       struct passphrase_cb_data cb_data = { path, 0 };
+       struct passphrase_cb_data cb_data = { path, data, 0 };
 
        if (buf) {
                /* reading from a buffer */
@@ -613,6 +613,9 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *d
                        goto end;
        }
 
+       /* We don't know yet if the private key requires a password. */
+       data->encrypted_privkey = 0;
+
        /* Read Private Key
         * Since multiple private keys might have different passphrases that are
         * stored in a local cache, we want to try all the already known
@@ -2448,6 +2451,12 @@ static int cli_parse_dump_cert(char **args, char *payload, struct appctx *appctx
 
                }
 
+               /* Do not dump encrypted private keys */
+               if (ckchs->data->encrypted_privkey) {
+                       HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
+                       return cli_err(appctx, "Can't display the contents of an encrypted certificate!\n");
+               }
+
                ctx->ckchs = ckchs;
                ctx->index = -2; /* -2 for pkey, -1 for cert, >= 0 for chain */
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a664d6d3585ea4381ca57ed8ab0e2f34bc5baf8a..437b28cc46de7bf120ef1fa4e74c25db84e546ec 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3788,12 +3788,18 @@ int ssl_sock_passwd_cb(char *buf, int size, int rwflag, void *userdata)
        int wstatus = 0;
        int fd[2];
        char *bufstart = buf;
+       struct ckch_data *ckch_data = NULL;
 
        struct passphrase_cb_data *data = userdata;
 
        if (!data || data->passphrase_idx == -1)
                return -1;
 
+       ckch_data = data->ckch_data;
+
+       if (ckch_data)
+               ckch_data->encrypted_privkey = 1;
+
        if (!global_ssl.passphrase_cmd) {
                data->passphrase_idx = -1;
                ha_alert("Trying to load a passphrase-protected private key without an 'ssl-passphrase-cmd' defined.");