RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-26 12:58:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: abort on sni allocation failure

Browse Source 
The ssl_sock_add_cert_sni() function never return an error when a
sni_ctx allocation fail. It silently ignores the problem and continues
to try to allocate other snis.

It is unlikely that a sni allocation will succeed after one failure and
start a configuration without all the snis. But to avoid any problem we
return a -1 upon an sni allocation error and stop the configuration
parsing.

This patch must be backported in every version supporting the crt-list
sni filters. (as far as 1.5)
This commit is contained in:
William Lallemand 2019-10-03 23:46:33 +02:00 committed by William Lallemand
parent 222a7c6ae0
commit fe49bb3d0c
1 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/ssl_sock.c
View File

@ -2764,7 +2764,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, struct ssl_b
for (j = 0; j < len && j < trash.size; j++) for (j = 0; j < len && j < trash.size; j++)
trash.area[j] = tolower(name[j]); trash.area[j] = tolower(name[j]);
if (j >= trash.size) if (j >= trash.size)
return order; return -1;
trash.area[j] = 0; trash.area[j] = 0;
/* Check for duplicates. */ /* Check for duplicates. */
@ -2780,7 +2780,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, struct ssl_b
sc = malloc(sizeof(struct sni_ctx) + len + 1); sc = malloc(sizeof(struct sni_ctx) + len + 1);
if (!sc) if (!sc)
return order; return -1;
memcpy(sc->name.key, trash.area, len + 1); memcpy(sc->name.key, trash.area, len + 1);
sc->ctx = ctx; sc->ctx = ctx;
sc->conf = conf; sc->conf = conf;
@ -3331,7 +3331,12 @@ static int ssl_sock_load_multi_ckchs(const char *path, struct ckch_store *ckchs,
/* Update SNI Tree */ /* Update SNI Tree */
key_combos[i-1].order = ssl_sock_add_cert_sni(cur_ctx, bind_conf, ssl_conf, key_combos[i-1].order = ssl_sock_add_cert_sni(cur_ctx, bind_conf, ssl_conf,
kinfo, str, key_combos[i-1].order); kinfo, str, key_combos[i-1].order);
if (key_combos[i-1].order < 0) {
memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
rv = 1;
goto end;
}
node = ebmb_next(node); node = ebmb_next(node);
} }
@ -3424,8 +3429,13 @@ static int ssl_sock_load_ckchs(const char *path, struct ckch_store *ckchs, struc
} }
if (fcount) { if (fcount) {
while (fcount--) while (fcount--) {
order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, sni_filter[fcount], order); order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, sni_filter[fcount], order);
if (order < 0) {
memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
return 1;
}
}
} }
else { else {
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
@ -3437,6 +3447,10 @@ static int ssl_sock_load_ckchs(const char *path, struct ckch_store *ckchs, struc
if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) { if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order); order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order);
OPENSSL_free(str); OPENSSL_free(str);
if (order < 0) {
memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
return 1;
}
} }
} }
} }
@ -3453,6 +3467,10 @@ static int ssl_sock_load_ckchs(const char *path, struct ckch_store *ckchs, struc
if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) { if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order); order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order);
OPENSSL_free(str); OPENSSL_free(str);
if (order < 0) {
memprintf(err, "%sunable to create a sni context.\n", err && *err ? *err : "");
return 1;
}
} }
} }
} }