Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / bcec63ec8ac76468558bdabaef6dc8905de194ae^! / . / src / ssl_crtlist.c
commitbcec63ec8ac76468558bdabaef6dc8905de194ae[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Tue Mar 23 16:41:53 2021 +0100
committerChristopher Faulet <cfaulet@haproxy.com>Wed Mar 24 17:03:03 2021 +0100
tree848b5a5193de6048bef8be699e27341b8d116627
parent0f1d06d2b4e5586f4e21b25f5daf9100eb674e92 [diff] [blame]
BUG/MINOR: ssl: Prevent disk access when using "add ssl crt-list"

If an unknown CA file was first mentioned in an "add ssl crt-list" CLI
command, it would result in a call to X509_STORE_load_locations which
performs a disk access which is forbidden during runtime. The same would
happen if a "ca-verify-file" or "crl-file" was specified. This was due
to the fact that the crt-list file parsing and the crt-list related CLI
commands parsing use the same functions.
The patch simply adds a new parameter to all the ssl_bind parsing
functions so that they know if the call is made during init or by the
CLI, and the ssl_store_load_locations function can then reject any new
cafile_entry creation coming from a CLI call.

It can be backported as far as 2.2.

(cherry picked from commit fb00f31af4ba67c69a12807729514a2bdcd47efa)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 077d6da..976e4be 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c

@@ -311,7 +311,7 @@
  *  <crt_path> is a ptr in <line>
  *  Return an error code
  */
-int crtlist_parse_line(char *line, char **crt_path, struct crtlist_entry *entry, const char *file, int linenum, char **err)
+int crtlist_parse_line(char *line, char **crt_path, struct crtlist_entry *entry, const char *file, int linenum, int from_cli, char **err)
 {
 	int cfgerr = 0;
 	int arg, newarg, cur_arg, i, ssl_b = 0, ssl_e = 0;
@@ -395,13 +395,14 @@
 			goto error;
 		}
 	}
+
 	cur_arg = ssl_b ? ssl_b : 1;
 	while (cur_arg < ssl_e) {
 		newarg = 0;
 		for (i = 0; ssl_bind_kws[i].kw != NULL; i++) {
 			if (strcmp(ssl_bind_kws[i].kw, args[cur_arg]) == 0) {
 				newarg = 1;
-				cfgerr |= ssl_bind_kws[i].parse(args, cur_arg, NULL, ssl_conf, err);
+				cfgerr |= ssl_bind_kws[i].parse(args, cur_arg, NULL, ssl_conf, from_cli, err);
 				if (cur_arg + 1 + ssl_bind_kws[i].skip > ssl_e) {
 					memprintf(err, "parsing [%s:%d]: ssl args out of '[]' for %s",
 					          file, linenum, args[cur_arg]);
@@ -512,7 +513,7 @@
 			goto error;
 		}
 
-		cfgerr |= crtlist_parse_line(thisline, &crt_path, entry, file, linenum, err);
+		cfgerr |= crtlist_parse_line(thisline, &crt_path, entry, file, linenum, 0, err);
 		if (cfgerr & ERR_CODE)
 			goto error;
 
@@ -1216,7 +1217,7 @@
 			goto error;
 		}
 		/* cert_path is filled here */
-		cfgerr |= crtlist_parse_line(payload, &cert_path, entry, "CLI", 1, &err);
+		cfgerr |= crtlist_parse_line(payload, &cert_path, entry, "CLI", 1, 1, &err);
 		if (cfgerr & ERR_CODE)
 			goto error;
 	} else {