BUG/MINOR: ssl: segv on startup when AKID but no keyid

In bug #959 it was reported that haproxy segfault on startup when trying
to load a certifcate which use the X509v3 AKID extension but without the
keyid field.

This field is not mandatory and could be replaced by the serial or the
DirName.

For example:

   X509v3 extensions:
       X509v3 Basic Constraints:
           CA:FALSE
       X509v3 Subject Key Identifier:
           42:7D:5F:6C:3E:0D:B7:2C:FD:6A:8A:32:C6:C6:B9:90:05:D1:B2:9B
       X509v3 Authority Key Identifier:
           DirName:/O=HAProxy Technologies/CN=HAProxy Test Intermediate CA
           serial:F2:AB:C1:41:9F:AB:45:8E:86:23:AD:C5:54:ED:DF:FA

This bug was introduced by 70df7b ("MINOR: ssl: add "issuers-chain-path" directive").

This patch must be backported as far as 2.2.

1 files changed, 1 insertions, 1 deletions

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 48ec9a071..d6d048789 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6271,7 +6271,7 @@ int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err)
 	struct issuer_chain *issuer = NULL;
 
 	akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
-	if (akid) {
+	if (akid && akid->keyid) {
 		struct eb64_node *node;
 		u64 hk;
 		hk = XXH64(ASN1_STRING_get0_data(akid->keyid), ASN1_STRING_length(akid->keyid), 0);