diff options
author | William Lallemand <wlallemand@haproxy.com> | 2020-11-19 16:24:13 +0100 |
---|---|---|
committer | William Lallemand <wlallemand@haproxy.org> | 2020-11-19 16:24:13 +0100 |
commit | f69cd6873756510e6e4ef82624c16719da6f2c80 (patch) | |
tree | 91c3f2d2ff02be286e49be81b3131d0816474040 | |
parent | 02ec3fe669d4b134fe09560ac653e798017477d9 (diff) | |
download | haproxy-f69cd6873756510e6e4ef82624c16719da6f2c80.tar.gz |
BUG/MINOR: ssl: segv on startup when AKID but no keyid
In bug #959 it was reported that haproxy segfault on startup when trying
to load a certifcate which use the X509v3 AKID extension but without the
keyid field.
This field is not mandatory and could be replaced by the serial or the
DirName.
For example:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
42:7D:5F:6C:3E:0D:B7:2C:FD:6A:8A:32:C6:C6:B9:90:05:D1:B2:9B
X509v3 Authority Key Identifier:
DirName:/O=HAProxy Technologies/CN=HAProxy Test Intermediate CA
serial:F2:AB:C1:41:9F:AB:45:8E:86:23:AD:C5:54:ED:DF:FA
This bug was introduced by 70df7b ("MINOR: ssl: add "issuers-chain-path" directive").
This patch must be backported as far as 2.2.
-rw-r--r-- | src/ssl_sock.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 48ec9a071..d6d048789 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6271,7 +6271,7 @@ int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err) struct issuer_chain *issuer = NULL; akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL); - if (akid) { + if (akid && akid->keyid) { struct eb64_node *node; u64 hk; hk = XXH64(ASN1_STRING_get0_data(akid->keyid), ASN1_STRING_length(akid->keyid), 0); |