git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Thu, 10 Nov 2022 09:48:58 +0000 (10:48 +0100)
committer	William Lallemand <wlallemand@haproxy.org>
	Thu, 10 Nov 2022 10:45:48 +0000 (11:45 +0100)
commit	9b25982716f0416c28f8fc894c58eb40885cf9e5
tree	c52cee1ac3fab4dcfe3aa4c0bbd2e44f0e6c5749	tree
parent	6397c7c55ff26eb11a7be66fb4d4f033fd47c762	commit \| diff

BUG/MEDIUM: ssl: Verify error codes can exceed 63

The CRT and CA verify error codes were stored in 6 bits each in the
xprt_st field of the ssl_sock_ctx meaning that only error code up to 63
could be stored. Likewise, the ca-ignore-err and crt-ignore-err options
relied on two unsigned long longs that were used as bitfields for all
the ignored error codes. On the latest OpenSSL1.1.1 and with OpenSSLv3
and newer, verify errors have exceeded this value so these two storages
must be increased. The error codes will now be stored on 7 bits each and
the ignore-err bitfields are replaced by a big enough array and
dedicated bit get and set functions.

It can be backported on all stable branches.

[wla: let it be tested a little while before backport]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

include/haproxy/listener-t.h		diff \| blob \| blame \| history
include/haproxy/ssl_sock-t.h		diff \| blob \| blame \| history
include/haproxy/ssl_sock.h		diff \| blob \| blame \| history
src/cfgparse-ssl.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history