Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 8695ce0bae21238eba660438c819797a245be71e^! / .
commit8695ce0bae21238eba660438c819797a245be71e[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Mon Feb 01 15:31:00 2021 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Mon Feb 01 17:58:21 2021 +0100
tree26a0095925c22b4ebd03b4e1a21b79a25b02d21d
parent040b1195f70d6a24204ede081451fd1dd71e6a34 [diff]
BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store

The "abort ssl cert" command is buggy and removes the current ckch store,
and instances, leading to SNI removal. It must only removes the new one.

This patch also adds a check in set_ssl_cert.vtc and
set_ssl_server_cert.vtc.

Must be backported as far as 2.2.

diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc
index 0e84058..d6d4526 100644
--- a/reg-tests/ssl/set_ssl_cert.vtc
+++ b/reg-tests/ssl/set_ssl_cert.vtc

@@ -86,3 +86,14 @@
     rxresp
     expect resp.status == 200
 } -run
+
+shell {
+    printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
+}
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/common.pem"
+    expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
+}
+

diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc
index cab2d04..412e9f0 100644
--- a/reg-tests/ssl/set_ssl_server_cert.vtc
+++ b/reg-tests/ssl/set_ssl_server_cert.vtc

@@ -108,3 +108,23 @@
     expect resp.http.x-ssl == "Revoked"
 } -run
 
+# Abort a transaction
+shell {
+    printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "abort ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
+}
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/client1.pem"
+    expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
+}
+
+# The certificate was not updated so it should still be revoked
+client c1 -connect ${h1_clearlst_sock} {
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Revoked"
+} -run
+
+

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 62e7b44..e8a20c3 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c

@@ -1742,7 +1742,6 @@
 	/* Only free the ckchs there, because the SNI and instances were not generated yet */
 	ckch_store_free(ckchs_transaction.new_ckchs);
 	ckchs_transaction.new_ckchs = NULL;
-	ckch_store_free(ckchs_transaction.old_ckchs);
 	ckchs_transaction.old_ckchs = NULL;
 	free(ckchs_transaction.path);
 	ckchs_transaction.path = NULL;