RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-19 12:16:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: memory leak when find_chain is NULL

Browse Source 
This bug was introduced by 85888573 "BUG/MEDIUM: ssl: chain must be
initialized with sk_X509_new_null()". No need to set find_chain with
sk_X509_new_null(), use find_chain conditionally to fix issue #516.

This bug was referenced by issue #559.

[wla: fix some alignment/indentation issue]
This commit is contained in:
Emmanuel Hocdet 2020-03-23 10:31:47 +01:00 committed by William Lallemand
parent 3328f18596
commit f4f14eacd3
1 changed files with 21 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/ssl_sock.c
View File

@ -3634,33 +3634,30 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
find_chain = issuer->chain;
}
/* If we didn't find a chain we *MUST* use an empty X509 structure */
if (find_chain == NULL)
find_chain = sk_X509_new_null();
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
if (find_chain)
#ifdef SSL_CTX_set1_chain
if (!SSL_CTX_set1_chain(ctx, find_chain)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
if (!SSL_CTX_set1_chain(ctx, find_chain)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
#else
{ /* legacy compat (< openssl 1.0.2) */
X509 *ca;
STACK_OF(X509) *chain;
chain = X509_chain_up_ref(find_chain);
while ((ca = sk_X509_shift(chain)))
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path);
X509_free(ca);
sk_X509_pop_free(chain, X509_free);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
}
{ /* legacy compat (< openssl 1.0.2) */
X509 *ca;
STACK_OF(X509) *chain;
chain = X509_chain_up_ref(find_chain);
while ((ca = sk_X509_shift(chain)))
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path);
X509_free(ca);
sk_X509_pop_free(chain, X509_free);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
}
#endif
#ifndef OPENSSL_NO_DH