From 47987ccbd92c2bb734996fd580f60443a2779f8e Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 25 Mar 2026 11:20:24 +0100 Subject: [PATCH] BUG/MINOR: ech: permission checks on the CLI Permission checks on the CLI for ECH are missing. This patch adds a check for "(add|set|del|show) ssl ech" commands so they can only be run in admin mode. ECH is stil a feature in experimental-mode and is not compiled by default. Initial report by Cameron Brown. Must be backported to 3.3. --- src/ech.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/ech.c b/src/ech.c index ecc64dd03..d7e74dbcc 100644 --- a/src/ech.c +++ b/src/ech.c @@ -136,6 +136,10 @@ static int cli_parse_show_ech(char **args, char *payload, { struct show_ech_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; + + /* no parameter, shows only file list */ if (*args[3]) { SSL_CTX *sctx = NULL; @@ -297,6 +301,9 @@ static int cli_parse_add_ech(char **args, char *payload, struct appctx *appctx, OSSL_ECHSTORE *es = NULL; BIO *es_in = NULL; + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; + if (!*args[3] || !payload) return cli_err(appctx, "syntax: add ssl ech "); if (cli_find_ech_specific_ctx(args[3], &sctx) != 1) @@ -324,6 +331,9 @@ static int cli_parse_set_ech(char **args, char *payload, struct appctx *appctx, OSSL_ECHSTORE *es = NULL; BIO *es_in = NULL; + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; + if (!*args[3] || !payload) return cli_err(appctx, "syntax: set ssl ech "); if (cli_find_ech_specific_ctx(args[3], &sctx) != 1) @@ -351,6 +361,9 @@ static int cli_parse_del_ech(char **args, char *payload, struct appctx *appctx, char success_message[ECH_SUCCESS_MSG_MAX]; OSSL_ECHSTORE *es = NULL; + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; + if (!*args[3]) return cli_err(appctx, "syntax: del ssl ech "); if (*args[4])