Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 99e45267a03caaf66043e4ca6f70c557ff072e74^! / . / src / cfgparse-ssl.c
commit99e45267a03caaf66043e4ca6f70c557ff072e74[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Thu Nov 10 10:48:58 2022 +0100
committerChristopher Faulet <cfaulet@haproxy.com>Fri Jan 20 11:07:25 2023 +0100
tree496945e8d68da62c5fae4009b86af7ed5163deda
parentc386b8c81030b2ee53fe1afe1b20dbd892105cd0 [diff] [blame]
BUG/MEDIUM: ssl: Verify error codes can exceed 63

The CRT and CA verify error codes were stored in 6 bits each in the
xprt_st field of the ssl_sock_ctx meaning that only error code up to 63
could be stored. Likewise, the ca-ignore-err and crt-ignore-err options
relied on two unsigned long longs that were used as bitfields for all
the ignored error codes. On the latest OpenSSL1.1.1 and with OpenSSLv3
and newer, verify errors have exceeded this value so these two storages
must be increased. The error codes will now be stored on 7 bits each and
the ignore-err bitfields are replaced by a big enough array and
dedicated bit get and set functions.

It can be backported on all stable branches.

[wla: let it be tested a little while before backport]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
(cherry picked from commit 9b25982716f0416c28f8fc894c58eb40885cf9e5)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
(cherry picked from commit 64fa46abccf9f9599b575ba57ea4786c53fae9df)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 5653517c2eee4c97a545d3122d8ca84a045e819b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 654b020..fcd0416 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c

@@ -758,7 +758,7 @@
 {
 	int code;
 	char *p = args[cur_arg + 1];
-	unsigned long long *ignerr = &conf->crt_ignerr;
+	unsigned long long *ignerr = conf->crt_ignerr_bitfield;
 
 	if (!*p) {
 		memprintf(err, "'%s' : missing error IDs list", args[cur_arg]);
@@ -766,21 +766,21 @@
 	}
 
 	if (strcmp(args[cur_arg], "ca-ignore-err") == 0)
-		ignerr = &conf->ca_ignerr;
+		ignerr = conf->ca_ignerr_bitfield;
 
 	if (strcmp(p, "all") == 0) {
-		*ignerr = ~0ULL;
+		cert_ignerr_bitfield_set_all(ignerr);
 		return 0;
 	}
 
 	while (p) {
 		code = atoi(p);
-		if ((code <= 0) || (code > 63)) {
-			memprintf(err, "'%s' : ID '%d' out of range (1..63) in error IDs list '%s'",
-			          args[cur_arg], code, args[cur_arg + 1]);
+		if ((code <= 0) || (code > SSL_MAX_VFY_ERROR_CODE)) {
+			memprintf(err, "'%s' : ID '%d' out of range (1..%d) in error IDs list '%s'",
+			          args[cur_arg], code, SSL_MAX_VFY_ERROR_CODE, args[cur_arg + 1]);
 			return ERR_ALERT | ERR_FATAL;
 		}
-		*ignerr |= 1ULL << code;
+		cert_ignerr_bitfield_set(ignerr, code);
 		p = strchr(p, ',');
 		if (p)
 			p++;