Repositories - haproxy-2.3.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Tue, 23 Mar 2021 15:41:53 +0000 (16:41 +0100)
committer	Christopher Faulet <cfaulet@haproxy.com>
	Wed, 24 Mar 2021 16:03:03 +0000 (17:03 +0100)
commit	bcec63ec8ac76468558bdabaef6dc8905de194ae
tree	848b5a5193de6048bef8be699e27341b8d116627	tree \| snapshot
parent	0f1d06d2b4e5586f4e21b25f5daf9100eb674e92	commit \| diff

BUG/MINOR: ssl: Prevent disk access when using "add ssl crt-list"

If an unknown CA file was first mentioned in an "add ssl crt-list" CLI
command, it would result in a call to X509_STORE_load_locations which
performs a disk access which is forbidden during runtime. The same would
happen if a "ca-verify-file" or "crl-file" was specified. This was due
to the fact that the crt-list file parsing and the crt-list related CLI
commands parsing use the same functions.
The patch simply adds a new parameter to all the ssl_bind parsing
functions so that they know if the call is made during init or by the
CLI, and the ssl_store_load_locations function can then reject any new
cafile_entry creation coming from a CLI call.

It can be backported as far as 2.2.

(cherry picked from commit fb00f31af4ba67c69a12807729514a2bdcd47efa)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

include/haproxy/listener-t.h		diff \| blob \| history
include/haproxy/ssl_crtlist.h		diff \| blob \| history
include/haproxy/ssl_sock.h		diff \| blob \| history
reg-tests/ssl/add_ssl_crt-list.vtc		diff \| blob \| history
src/cfgparse-ssl.c		diff \| blob \| history
src/ssl_crtlist.c		diff \| blob \| history
src/ssl_sock.c		diff \| blob \| history