LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6506 Commits
1 Branch
46 MiB
Tree: 13f9c9d648
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '13f9c9d648'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0011-BUG-MINOR-ssl-prevent-...

70 lines
2.1 KiB
Raw Normal View History

haproxy: bump to version 1.6.9 mainline and pending patches Signed-off-by: heil <heil@terminal-consulting.de>
8 years ago
 
  1. From b2b0eab46a8ae36f2dd49159e65c90c1089a0f96 Mon Sep 17 00:00:00 2001
  2. From: "Thierry FOURNIER / OZON.IO" <thierry.fournier@ozon.io>
  3. Date: Thu, 6 Oct 2016 10:56:48 +0200
  4. Subject: [PATCH 11/26] BUG/MINOR: ssl: prevent multiple entries for the same
  5.  certificate
  6. 

  7. Today, the certificate are indexed int he SNI tree using their CN and the
  8. list of thier AltNames. So, Some certificates have the same names in the
  9. CN and one of the AltNames entries.
  10. 

  11. Typically Let's Encrypt duplicate the the DNS name in the CN and the
  12. AltName.
  13. 

  14. This patch prevents the creation of identical entries in the trees. It
  15. checks the same DNS name and the same SSL context.
  16. 

  17. If the same certificate is registered two time it will be duplicated.
  18. 

  19. This patch should be backported in the 1.6 and 1.5 version.
  20. (cherry picked from commit 07c3d78c2c0693ee37db71c34723597638b6ab3f)
  21. ---

  22.  src/ssl_sock.c | 22 +++++++++++++++++++---
  23.  1 file changed, 19 insertions(+), 3 deletions(-)
  24. 

  25. diff --git a/src/ssl_sock.c b/src/ssl_sock.c

  26. index 5f9a203..ad8054d 100644

  27. --- a/src/ssl_sock.c

  28. +++ b/src/ssl_sock.c

  29. @@ -1556,6 +1556,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, char *name,

  30.  {
  31.  	struct sni_ctx *sc;
  32.  	int wild = 0, neg = 0;
  33. +	struct ebmb_node *node;

  34.  
  35.  	if (*name == '!') {
  36.  		neg = 1;
  37. @@ -1571,12 +1572,27 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, char *name,

  38.  	if (*name) {
  39.  		int j, len;
  40.  		len = strlen(name);
  41. +		for (j = 0; j < len && j < trash.size; j++)

  42. +			trash.str[j] = tolower(name[j]);

  43. +		if (j >= trash.size)

  44. +			return order;

  45. +		trash.str[j] = 0;

  46. +

  47. +		/* Check for duplicates. */

  48. +		if (wild)

  49. +			node = ebst_lookup(&s->sni_w_ctx, trash.str);

  50. +		else

  51. +			node = ebst_lookup(&s->sni_ctx, trash.str);

  52. +		for (; node; node = ebmb_next_dup(node)) {

  53. +			sc = ebmb_entry(node, struct sni_ctx, name);

  54. +			if (sc->ctx == ctx && sc->neg == neg)

  55. +				return order;

  56. +		}

  57. +

  58.  		sc = malloc(sizeof(struct sni_ctx) + len + 1);
  59.  		if (!sc)
  60.  			return order;
  61. -		for (j = 0; j < len; j++)

  62. -			sc->name.key[j] = tolower(name[j]);

  63. -		sc->name.key[len] = 0;

  64. +		memcpy(sc->name.key, trash.str, len + 1);

  65.  		sc->ctx = ctx;
  66.  		sc->order = order++;
  67.  		sc->neg = neg;
  68. -- 

  69. 2.7.3
  70.