From: William Lallemand <wlallemand@haproxy.com>
Date: Thu, 27 Feb 2020 13:48:35 +0000 (+0100)
Subject: BUG/MEDIUM: ssl: chain must be initialized with sk_X509_new_null()
X-Git-Tag: v2.2-dev4~115
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85888573;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: chain must be initialized with sk_X509_new_null()

Even when there isn't a chain, it must be initialized to a empty X509
structure with sk_X509_new_null().

This patch fixes a segfault which appears with older versions of the SSL
libs (openssl 0.9.8, libressl 2.8.3...) because X509_chain_up_ref() does
not check the pointer.

This bug was introduced by b90d2cb ("MINOR: ssl: resolve issuers chain
later").

Should fix issue #516.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 80356aaa0e..577f785539 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3629,6 +3629,11 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 		if (issuer)
 			find_chain = issuer->chain;
 	}
+
+	/* If we didn't find a chain we *MUST* use an empty X509 structure */
+	if (find_chain == NULL)
+		find_chain = sk_X509_new_null();
+
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
 #ifdef SSL_CTX_set1_chain
         if (!SSL_CTX_set1_chain(ctx, find_chain)) {