From: William Lallemand <wlallemand@haproxy.org>
Date: Mon, 1 Feb 2021 14:31:00 +0000 (+0100)
Subject: BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store
X-Git-Tag: v2.1.12~56
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=dd6762211f9b7cd95a1b7a61bbb2f0a17bcff72d;p=haproxy-2.1.git

BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store

The "abort ssl cert" command is buggy and removes the current ckch store,
and instances, leading to SNI removal. It must only removes the new one.

This patch also adds a check in set_ssl_cert.vtc and
set_ssl_server_cert.vtc.

Must be backported as far as 2.2.

(cherry picked from commit 8695ce0bae21238eba660438c819797a245be71e)
[wt: dropped reg-tests/ssl/set_ssl_server_cert.vtc]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 3d6ebec8d3a957e191b70b67fe9682cb79c107c4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 9b3473811b48e1e86f93004a48621c4637c0a809)
[cf: Backport to 2.1 also required; context adjustment]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f3b5094..6bf7ae9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10652,7 +10652,6 @@ static int cli_parse_abort_cert(char **args, char *payload, struct appctx *appct
 	/* Only free the ckchs there, because the SNI and instances were not generated yet */
 	ckchs_free(ckchs_transaction.new_ckchs);
 	ckchs_transaction.new_ckchs = NULL;
-	ckchs_free(ckchs_transaction.old_ckchs);
 	ckchs_transaction.old_ckchs = NULL;
 	free(ckchs_transaction.path);
 	ckchs_transaction.path = NULL;