From 7814a8b446c38cf1c2155a224c340d895faf84fa Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 16 Apr 2025 14:05:04 +0200 Subject: [PATCH] BUG/MINOR: acme: key not restored upon error in acme_res_certificate() V2 When receiving the final certificate, it need to be loaded by ssl_sock_load_pem_into_ckch(). However this function will remove any existing private key in the struct ckch_store. In order to fix the issue, the ptr to the key is swapped with a NULL ptr, and restored once the new certificate is commited. However there is a discrepancy when there is an error in ssl_sock_load_pem_into_ckch() fails and the pointer is lost. This patch fixes the issue by restoring the pointer in the error path. This must fix issue #2933. --- src/acme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/acme.c b/src/acme.c index 2e427ebe5..895a3ebd0 100644 --- a/src/acme.c +++ b/src/acme.c @@ -638,7 +638,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg) struct http_hdr *hdrs, *hdr; struct buffer *t1 = NULL, *t2 = NULL; int ret = 1; - EVP_PKEY *key; + EVP_PKEY *key = NULL; hc = ctx->hc; if (!hc) @@ -681,6 +681,7 @@ int acme_res_certificate(struct task *task, struct acme_ctx *ctx, char **errmsg) /* restore the key */ ctx->store->data->key = key; + key = NULL; if (acme_update_certificate(task, ctx, errmsg) != 0) goto error; @@ -689,6 +690,8 @@ out: ret = 0; error: + if (key) + ctx->store->data->key = key; free_trash_chunk(t1); free_trash_chunk(t2); httpclient_destroy(hc);