BUG/MEDIUM: ssl: fix wolfSSL use-after-free in X509_STORE_getX_objects#34
Draft
BUG/MEDIUM: ssl: fix wolfSSL use-after-free in X509_STORE_getX_objects#34
Conversation
wolfSSL's X509_STORE_get0_objects() decrements the reference count of X509 objects in store->objs on every call via X509StoreFreeObjList (when WOLFSSL_SIGNER_DER_CERT is defined). Since haproxy calls X509_STORE_getX_objects() on the same store from multiple places (ssl_ckch.c during initial load, ssl_sock.c:ssl_set_cert_crl_file, and ssl_sock.c:ssl_get_client_ca_file), the X509 objects' reference counts reach zero and get freed while still referenced, causing a heap-use-after-free. Fix this by adding a wolfSSL-specific ha_wolfssl_X509_STORE_get_objects() that bypasses wolfSSL_X509_STORE_get0_objects() entirely, instead building a fresh owned stack directly from store->certs (non-self-signed) and store->trusted (self-signed) with proper X509_up_ref() calls. Also update sk_X509_OBJECT_popX_free to actually free the returned stack for wolfSSL (instead of being a no-op), which properly decrements the reference counts when the caller is done. Agent-Logs-Url: https://github.com/chipitsine/haproxy/sessions/b2212b9c-1328-4a03-9fcc-835e2d2bc7e9 Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix wolfssl failure in HAProxy builds
BUG/MEDIUM: ssl: fix wolfSSL use-after-free in X509_STORE_getX_objects
Apr 1, 2026
…ruct internals
The previous fix used store->certs and store->trusted fields that are only
present in newer wolfSSL builds, causing compilation errors with the wolfSSL
version cached in the CI:
'X509_STORE' {aka 'WOLFSSL_X509_STORE'} has no member named 'certs'
Replace the direct struct-field access with a public-API-only approach:
call wolfSSL_X509_STORE_get0_objects() to get the current snapshot and
build an independent caller-owned copy using X509_up_ref()/X509_CRL_up_ref()
for each object. This protects against wolfSSL's destructive rebuild
(triggered by WOLFSSL_SIGNER_DER_CERT / --enable-haproxy) where
X509StoreFreeObjList frees the previous call's X509 objects, causing
use-after-free when callers still hold pointers into the old result.
The approach works with both old and new wolfSSL:
- Old wolfSSL: X509StoreFreeObjList decrements the X509 ref; our up_ref
ensures it stays >= 1 while the copy is live; when the copy is freed
via sk_X509_OBJECT_pop_free, the ref drops to 0 and the object is
freed correctly.
- New wolfSSL (with store->certs/trusted fields): X509StoreFreeObjList
NULLs the non-CM cert refs instead of freeing them; our up_refs
provide the same protection at no extra cost.
Agent-Logs-Url: https://github.com/chipitsine/haproxy/sessions/35e7d3c8-3c1f-4609-beeb-5a96a7887ad0
Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>
…builds
wolfSSL_X509_CRL_up_ref is guarded by #ifdef OPENSSL_ALL in wolfSSL's
src/crl.c, and the corresponding #define X509_CRL_up_ref in wolfssl/openssl/ssl.h
was removed between Dec 2025 and Mar 2026 ('remove unimplemented function macro').
A CI build cached during that window therefore sees the symbol as undeclared:
error: call to undeclared function 'X509_CRL_up_ref'
Wrap the X509_LU_CRL branch in ha_wolfssl_X509_STORE_get_objects() with
#ifdef X509_CRL_up_ref so that older wolfSSL builds skip CRL objects
(which are rarely if ever present in a wolfSSL CA X509_STORE anyway)
while newer builds that have the symbol still copy CRL entries correctly.
Agent-Logs-Url: https://github.com/chipitsine/haproxy/sessions/26b1a3e4-deb8-4f64-9458-0ee19b5053e3
Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
X509_CRL_up_refundeclared in cached CI wolfSSL — the#define X509_CRL_up_ref wolfSSL_X509_CRL_up_refwas removed between Dec 2025 and Mar 2026 in wolfSSL, and the implementation in crl.c requiresOPENSSL_ALLX509_LU_CRLbranch inha_wolfssl_X509_STORE_get_objects()with#ifdef X509_CRL_up_refso it compiles on older wolfSSL where the symbol is absent, while still correctly handling CRLs on newer builds where it's available