From dc35a3487bcb74d3bc9585e9cac7a196166c54ba Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Tue, 28 Oct 2025 18:00:47 +0100 Subject: [PATCH] MINOR: ssl: Do not dump decrypted privkeys in 'dump ssl cert' A private keys that is password protected and was decoded during init thanks to the password obtained thanks to 'ssl-passphrase-cmd' should not be dumped via 'dump ssl cert' CLI command. --- include/haproxy/ssl_ckch-t.h | 1 + include/haproxy/ssl_sock-t.h | 1 + src/ssl_ckch.c | 11 ++++++++++- src/ssl_sock.c | 6 ++++++ 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index c435d4218..2c75996ef 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -56,6 +56,7 @@ struct ckch_data { X509 *ocsp_issuer; OCSP_CERTID *ocsp_cid; struct issuer_chain *extra_chain; /* chain from 'issuers-chain-path' */ + int encrypted_privkey; /* 1 if 'key' is encrypted, 0 otherwise */ }; /* configuration for the ckch_store */ diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index c076f7fb5..3d5a420a4 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -359,6 +359,7 @@ struct ssl_counters { struct passphrase_cb_data { const char *path; + struct ckch_data *ckch_data; int passphrase_idx; }; diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 942537dd7..e21f0797a 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -593,7 +593,7 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *d BIO *in = NULL; int ret = 1; EVP_PKEY *key = NULL; - struct passphrase_cb_data cb_data = { path, 0 }; + struct passphrase_cb_data cb_data = { path, data, 0 }; if (buf) { /* reading from a buffer */ @@ -613,6 +613,9 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *d goto end; } + /* We don't know yet if the private key requires a password. */ + data->encrypted_privkey = 0; + /* Read Private Key * Since multiple private keys might have different passphrases that are * stored in a local cache, we want to try all the already known @@ -2448,6 +2451,12 @@ static int cli_parse_dump_cert(char **args, char *payload, struct appctx *appctx } + /* Do not dump encrypted private keys */ + if (ckchs->data->encrypted_privkey) { + HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock); + return cli_err(appctx, "Can't display the contents of an encrypted certificate!\n"); + } + ctx->ckchs = ckchs; ctx->index = -2; /* -2 for pkey, -1 for cert, >= 0 for chain */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index a664d6d35..437b28cc4 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3788,12 +3788,18 @@ int ssl_sock_passwd_cb(char *buf, int size, int rwflag, void *userdata) int wstatus = 0; int fd[2]; char *bufstart = buf; + struct ckch_data *ckch_data = NULL; struct passphrase_cb_data *data = userdata; if (!data || data->passphrase_idx == -1) return -1; + ckch_data = data->ckch_data; + + if (ckch_data) + ckch_data->encrypted_privkey = 1; + if (!global_ssl.passphrase_cmd) { data->passphrase_idx = -1; ha_alert("Trying to load a passphrase-protected private key without an 'ssl-passphrase-cmd' defined."); -- 2.47.3