LILiK
/
openwrt-packages-dist


								commit 6338b7d4a884639f98823e885325a50750f72e04

								Author: William Lallemand <wlallemand@haproxy.org>

								Date:   Tue Dec 28 18:47:17 2021 +0100


								    BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server


								    This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client

								    certificates in a ckch for backend servers") in which the creation of

								    the SSL_CTX for a server was moved to the configuration parser when

								    using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx().


								    The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by

								    server") made it worse by setting the same SSL_CTX for every servers

								    using a default-server. Resulting in any SSL option on a server applied

								    to every server in its backend.


								    This patch fixes the issue by reintroducing a string which store the

								    path of certificate inside the server structure, and loading the

								    certificate in ssl_sock_prepare_srv_ctx() again.


								    This is a quick fix to backport, a cleaner way can be achieve by always

								    creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting

								    properly the ssl_sock_load_srv_cert() function.


								    This patch fixes issue #1488.


								    Must be backported as far as 2.4.


								    (cherry picked from commit 2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32)

								    Signed-off-by: Willy Tarreau <w@1wt.eu>

								    (cherry picked from commit 2f3c354b6cdc21ee185e263b5c7422c86ae58c98)

								    [wt: ssl_sock_load_srv_cert() doesn't take the create_if_none arg in 2.4,

								         thus adjust context and make sure ssl_sock_prepare_srv_ctx() matches

								         what srv_parse_crt() used to do]

								    Signed-off-by: Willy Tarreau <w@1wt.eu>


								--- a/include/haproxy/server-t.h

								+++ b/include/haproxy/server-t.h

								@@ -364,6 +364,7 @@ struct server {

								 		char *verify_host;              /* hostname of certificate must match this host */

								 		char *ca_file;			/* CAfile to use on verify */

								 		char *crl_file;			/* CRLfile to use on verify */

								+		char *client_crt;		/* client certificate to send */

								 		struct sample_expr *sni;        /* sample expression for SNI */

								 #ifdef OPENSSL_NPN_NEGOTIATED

								 		char *npn_str;                  /* NPN protocol string */

								--- a/reg-tests/ssl/ssl_default_server.vtc

								+++ b/reg-tests/ssl/ssl_default_server.vtc

								@@ -15,7 +15,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'versi

								 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"

								 feature ignore_unknown_macro


								-server s1 -repeat 7 {

								+server s1 -repeat 10 {

								   rxreq

								   txresp

								 } -start

								@@ -56,7 +56,10 @@ haproxy h1 -conf {


								     backend third_be

								         default-server ssl crt client1.pem ca-file ca-auth.crt verify none

								-        server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem

								+        server s1 "${tmpdir}/ssl.sock"

								+        server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem

								+        server s3 "${tmpdir}/ssl.sock"

								+        server s4 "${tmpdir}/ssl.sock"


								     backend fourth_be

								         default-server ssl crt client1.pem verify none

								@@ -106,9 +109,25 @@ client c1 -connect ${h1_clearlst_sock} {

								     txreq

								     rxresp

								     expect resp.status == 200

								+    expect resp.http.x-ssl == "Ok"

								+} -run

								+

								+client c1 -connect ${h1_clearlst_sock} {

								+    txreq -url "/third"

								+    txreq

								+    rxresp

								+    expect resp.status == 200

								     expect resp.http.x-ssl == "Expired"

								 } -run


								+client c1 -connect ${h1_clearlst_sock} -repeat 2 {

								+    txreq -url "/third"

								+    txreq

								+    rxresp

								+    expect resp.status == 200

								+    expect resp.http.x-ssl == "Ok"

								+} -run

								+

								 client c1 -connect ${h1_clearlst_sock} {

								     txreq -url "/fourth"

								     txreq

								--- a/src/cfgparse-ssl.c

								+++ b/src/cfgparse-ssl.c

								@@ -1450,25 +1450,17 @@ static int srv_parse_crl_file(char **arg

								 /* parse the "crt" server keyword */

								 static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)

								 {

								-	int retval = -1;

								-	char *path = NULL;

								-

								 	if (!*args[*cur_arg + 1]) {

								 		memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]);

								 		return ERR_ALERT | ERR_FATAL;

								 	}


								 	if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base)

								-		memprintf(&path, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);

								+		memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);

								 	else

								-		memprintf(&path, "%s", args[*cur_arg + 1]);

								-

								-	if (path) {

								-		retval = ssl_sock_load_srv_cert(path, newsrv, err);

								-		free(path);

								-	}

								+		memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]);


								-	return retval;

								+	return 0;

								 }


								 /* parse the "no-check-ssl" server keyword */

								--- a/src/server.c

								+++ b/src/server.c

								@@ -2063,6 +2063,8 @@ static void srv_conn_src_cpy(struct serv

								 static void srv_ssl_settings_cpy(struct server *srv, struct server *src)

								 {

								 	/* <src> is the current proxy's default server and SSL is enabled */

								+	BUG_ON(src->ssl_ctx.ctx != NULL); /* the SSL_CTX must never be initialized in a default-server */

								+

								 	if (src == &srv->proxy->defsrv && src->use_ssl == 1)

								 		srv->flags |= SRV_F_DEFSRV_USE_SSL;


								@@ -2070,10 +2072,11 @@ static void srv_ssl_settings_cpy(struct

								 		srv->ssl_ctx.ca_file = strdup(src->ssl_ctx.ca_file);

								 	if (src->ssl_ctx.crl_file != NULL)

								 		srv->ssl_ctx.crl_file = strdup(src->ssl_ctx.crl_file);

								+	if (src->ssl_ctx.client_crt != NULL)

								+		srv->ssl_ctx.client_crt = strdup(src->ssl_ctx.client_crt);


								 	srv->ssl_ctx.verify = src->ssl_ctx.verify;


								-	srv->ssl_ctx.ctx = src->ssl_ctx.ctx;


								 	if (src->ssl_ctx.verify_host != NULL)

								 		srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);

								--- a/src/ssl_sock.c

								+++ b/src/ssl_sock.c

								@@ -4669,7 +4669,7 @@ int ssl_sock_prepare_srv_ctx(struct serv

								 {

								 	struct proxy *curproxy = srv->proxy;

								 	int cfgerr = 0;

								-	SSL_CTX *ctx = srv->ssl_ctx.ctx;

								+	SSL_CTX *ctx;


								 	/* Make sure openssl opens /dev/urandom before the chroot */

								 	if (!ssl_initialize_random()) {

								@@ -4693,6 +4693,26 @@ int ssl_sock_prepare_srv_ctx(struct serv

								 	if (srv->use_ssl == 1)

								 		srv->xprt = &ssl_sock;


								+	if (srv->ssl_ctx.client_crt) {

								+		char *err = NULL;

								+		int err_code = 0;

								+

								+		/* If there is a crt keyword there, the SSL_CTX will be created here. */

								+		err_code = ssl_sock_load_srv_cert(srv->ssl_ctx.client_crt, srv, &err);

								+		if (err_code != ERR_NONE) {

								+			if ((err_code & ERR_WARN) && !(err_code & ERR_ALERT))

								+				ha_warning("%s", err);

								+			else

								+				ha_alert("%s", err);

								+

								+			if (err_code & (ERR_FATAL|ERR_ABORT))

								+				cfgerr++;

								+		}

								+		ha_free(&err);

								+	}

								+

								+	ctx = srv->ssl_ctx.ctx;

								+

								 	/* The context will be uninitialized if there wasn't any "cert" option

								 	 * in the server line. */

								 	if (!ctx) {