upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-15 21:59:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded

Browse source 
When using "set ssl cert" on the CLI, if we load a new PEM, the previous
sctl, issuer and OCSP response are still loaded. This doesn't make any
sense since they won't be usable with a new private key.

This patch free the previous data.

Should be backported in 2.1.
This commit is contained in:
William Lallemand 2020-01-23 10:56:05 +01:00 committed by William Lallemand
parent d0142e7224
commit 75b15f790f
1 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/ssl_sock.c
View file

@ -3357,6 +3357,26 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
goto end;
}
/* once it loaded the PEM, it should remove everything else in the ckch */
if (ckch->ocsp_response) {
free(ckch->ocsp_response->area);
ckch->ocsp_response->area = NULL;
free(ckch->ocsp_response);
ckch->ocsp_response = NULL;
}
if (ckch->sctl) {
free(ckch->sctl->area);
ckch->sctl->area = NULL;
free(ckch->sctl);
ckch->sctl = NULL;
}
if (ckch->ocsp_issuer) {
X509_free(ckch->ocsp_issuer);
ckch->ocsp_issuer = NULL;
}
/* no error, fill ckch with new context, old context will be free at end: */
SWAP(ckch->key, key);
SWAP(ckch->dh, dh);