Default keys can be at a different location than certificates

jedisct1 · jedisct1 · commit f09cc52ee08c · 2019-03-24T23:24:48.000+01:00
diff --git a/man/pure-ftpd.8.in b/man/pure-ftpd.8.in
@@ -9,7 +9,7 @@
 pure\-ftpd \- simple File Transfer Protocol server
 
 .SH "SYNOPSIS"
-.B pure\-ftpd [\-0] [\-1] [\-2] [\-3] [\-4] [\-6] [\-a gid] [\-A] [\-b] [\-B] [\-c clients] [\-C cnx/ip] [\-d [\-d]] [\-D] [\-e] [\-E] [\-f facility] [\-F fortunes file] [\-g pidfile] [\-G] [\-H] [\-i] [\-I] [\-j] [\-J ciphers] [\-k percentage] [\-K] [\-l authentication[:config file]] [\-L max files:max depth] [\-m maxload] [\-M] [\-n maxfiles:maxsize] [\-N] [\-o] [\-O format:log file] [\-p first:last] [\-P ip address or host name] [\-q upload:download ratio] [\-Q upload:download ratio] [\-r] [\-R] [\-s] [\-S [address,][port]] [\-t upload bandwidth:download bandwidth] [\-T upload bandwidth:download bandwidth] [\-u uid] [\-U umask files:umask dirs] [\-v bonjour name] [\-V ip address] [\-w] [\-W] [\-x] [\-X] [\-y max user sessions:max anon sessions] [\-Y tls behavior] [\-z] [\-Z]
+.B pure\-ftpd [\-0] [\-1] [\-2 cert_file[,key_file]] [\-3 certd_socket] [\-4] [\-6] [\-a gid] [\-A] [\-b] [\-B] [\-c clients] [\-C cnx/ip] [\-d [\-d]] [\-D] [\-e] [\-E] [\-f facility] [\-F fortunes file] [\-g pidfile] [\-G] [\-H] [\-i] [\-I] [\-j] [\-J ciphers] [\-k percentage] [\-K] [\-l authentication[:config file]] [\-L max files:max depth] [\-m maxload] [\-M] [\-n maxfiles:maxsize] [\-N] [\-o] [\-O format:log file] [\-p first:last] [\-P ip address or host name] [\-q upload:download ratio] [\-Q upload:download ratio] [\-r] [\-R] [\-s] [\-S [address,][port]] [\-t upload bandwidth:download bandwidth] [\-T upload bandwidth:download bandwidth] [\-u uid] [\-U umask files:umask dirs] [\-v bonjour name] [\-V ip address] [\-w] [\-W] [\-x] [\-X] [\-y max user sessions:max anon sessions] [\-Y tls behavior] [\-z] [\-Z]
 
 .br
 Alternative style:
@@ -157,8 +157,10 @@ Add the PID to the syslog output. Ignored if
 .B none
 is set.
 .TP
-.B \-2 file
-When using TLS, set the path to the certificate file.
+.B \-2 cert_file[,key_file]
+When using TLS, set the path to the certificate file. The certificate
+and its key can be be bundled into a single file, or the key can be
+in a distinct file.
 .TP
 .B \-3 path
 Path to the pure-certd UNIX socket.
diff --git a/src/ftpd.c b/src/ftpd.c
@@ -5801,12 +5801,27 @@ int pureftpd_start(int argc, char *argv[], const char *home_directory_)
         }
 #endif
 #ifdef WITH_TLS
-        case '2':
+        case '2': {
+            char *struck;
+            char *key_file_;
+
+            if ((struck = strchr(optarg, ',')) != NULL) {
+                *struck = 0;
+                key_file_ = struck + 1;
+            } else {
+                key_file_ = optarg;
+            }
+            if (*optarg == 0 || *key_file_ == 0) {
+                die(421, LOG_ERR, MSG_CONF_ERR ": TLS");
+            }
             if ((cert_file = strdup(optarg)) == NULL) {
                 die_mem();
             }
-            key_file = cert_file;
+            if ((key_file = strdup(key_file_)) == NULL) {
+                die_mem();
+            }
             break;
+        }
         case '3':
             tls_extcert_parse(optarg);
             use_extcert++;
