RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-11 03:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: check allocation in ssl_sock_init_srv

Browse Source 
These checks are especially required now as this function will be used
at runtime for dynamic servers.
This commit is contained in:
Amaury Denoyelle 2021-05-19 11:52:50 +02:00
parent c593bcdb43
commit 949c94e462
1 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/cfgparse-ssl.c
View File

@ -1369,13 +1369,16 @@ static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px, stru
} }
/* common function to init ssl_ctx */ /* common function to init ssl_ctx */
static void ssl_sock_init_srv(struct server *s) static int ssl_sock_init_srv(struct server *s)
{ {
if (global_ssl.connect_default_ciphers && !s->ssl_ctx.ciphers) if (global_ssl.connect_default_ciphers && !s->ssl_ctx.ciphers)
s->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); s->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites) if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites) {
s->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); s->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
if (!s->ssl_ctx.ciphersuites)
return 1;
}
#endif #endif
s->ssl_ctx.options |= global_ssl.connect_default_ssloptions; s->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
s->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags; s->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
@ -1385,13 +1388,19 @@ static void ssl_sock_init_srv(struct server *s)
if (!s->ssl_ctx.methods.max) if (!s->ssl_ctx.methods.max)
s->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max; s->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max;
return 0;
} }
/* parse the "check-ssl" server keyword */ /* parse the "check-ssl" server keyword */
static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{ {
newsrv->check.use_ssl = 1; newsrv->check.use_ssl = 1;
ssl_sock_init_srv(newsrv); if (ssl_sock_init_srv(newsrv)) {
memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
return 0; return 0;
} }
@ -1502,8 +1511,12 @@ static int srv_parse_no_send_proxy_cn(char **args, int *cur_arg, struct proxy *p
static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{ {
/* if default-server have use_ssl, prepare ssl settings */ /* if default-server have use_ssl, prepare ssl settings */
if (newsrv->use_ssl == 1) if (newsrv->use_ssl == 1) {
ssl_sock_init_srv(newsrv); if (ssl_sock_init_srv(newsrv)) {
memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
}
else { else {
ha_free(&newsrv->ssl_ctx.ciphers); ha_free(&newsrv->ssl_ctx.ciphers);
} }
@ -1574,7 +1587,11 @@ static int srv_parse_sni(char **args, int *cur_arg, struct proxy *px, struct ser
static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{ {
newsrv->use_ssl = 1; newsrv->use_ssl = 1;
ssl_sock_init_srv(newsrv); if (ssl_sock_init_srv(newsrv)) {
memprintf(err, "'%s' : not enough memory", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
return 0; return 0;
} }