From 0bb482436c9cfe21b2e2af10177c4c323e735808 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Fri, 16 Apr 2021 17:59:23 +0200 Subject: [PATCH] MINOR: ssl: Add a cafile_entry type field The CA files and CRL files are stored in the same cafile_tree so this patch adds a new field the the cafile_entry structure that specifies the type of the entry. Since a ca-file can also have some CRL sections, the type will be based on the option used to load the file and not on its content (ca-file vs crl-file options). --- include/haproxy/ssl_ckch-t.h | 8 ++++++++ include/haproxy/ssl_ckch.h | 4 ++-- src/cfgparse-ssl.c | 8 ++++---- src/ssl_ckch.c | 9 +++++---- 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index 584013c1c..2589a526e 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -114,6 +114,13 @@ struct ckch_inst { }; +/* Option through which a cafile_entry was created, either + * ca-file/ca-verify-file or crl-file. */ +enum cafile_type { + CAFILE_CERT, + CAFILE_CRL +}; + /* * deduplicate cafile (and crlfile) */ @@ -121,6 +128,7 @@ struct cafile_entry { X509_STORE *ca_store; STACK_OF(X509_NAME) *ca_list; struct list ckch_inst_link; /* list of ckch_inst which use this CA file entry */ + enum cafile_type type; struct ebmb_node node; char path[0]; }; diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 54c3c94a6..8ee3b74ea 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -60,10 +60,10 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry); X509_STORE* ssl_store_get0_locations_file(char *path); int ssl_store_add_uncommitted_cafile_entry(struct cafile_entry *entry); -struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store); +struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type); void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e); int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf); -int ssl_store_load_locations_file(char *path, int create_if_none); +int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type); #endif /* USE_OPENSSL */ #endif /* _HAPROXY_SSL_CRTLIST_H */ diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 9242360a9..d87786ccf 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -543,7 +543,7 @@ static int ssl_bind_parse_ca_file_common(char **args, int cur_arg, char **ca_fil else memprintf(ca_file_p, "%s", args[cur_arg + 1]); - if (!ssl_store_load_locations_file(*ca_file_p, !from_cli)) { + if (!ssl_store_load_locations_file(*ca_file_p, !from_cli, CAFILE_CERT)) { memprintf(err, "'%s' : unable to load %s", args[cur_arg], *ca_file_p); return ERR_ALERT | ERR_FATAL; } @@ -689,7 +689,7 @@ static int ssl_bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, s else memprintf(&conf->crl_file, "%s", args[cur_arg + 1]); - if (!ssl_store_load_locations_file(conf->crl_file, !from_cli)) { + if (!ssl_store_load_locations_file(conf->crl_file, !from_cli, CAFILE_CRL)) { memprintf(err, "'%s' : unable to load %s", args[cur_arg], conf->crl_file); return ERR_ALERT | ERR_FATAL; } @@ -1336,7 +1336,7 @@ static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct else memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]); - if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1)) { + if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1, CAFILE_CERT)) { memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.ca_file); return ERR_ALERT | ERR_FATAL; } @@ -1432,7 +1432,7 @@ static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struc else memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]); - if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, 1)) { + if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, 1, CAFILE_CRL)) { memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.crl_file); return ERR_ALERT | ERR_FATAL; } diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index b178d8536..3f89ac3cc 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -985,7 +985,7 @@ X509_STORE* ssl_store_get0_locations_file(char *path) } /* Create a cafile_entry object, without adding it to the cafile_tree. */ -struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store) +struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type) { struct cafile_entry *ca_e; int pathlen; @@ -996,6 +996,7 @@ struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store if (ca_e) { memcpy(ca_e->path, path, pathlen + 1); ca_e->ca_store = store; + ca_e->type = type; LIST_INIT(&ca_e->ckch_inst_link); } return ca_e; @@ -1077,7 +1078,7 @@ int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf) return retval; } -int ssl_store_load_locations_file(char *path, int create_if_none) +int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type) { X509_STORE *store = ssl_store_get0_locations_file(path); @@ -1088,7 +1089,7 @@ int ssl_store_load_locations_file(char *path, int create_if_none) struct cafile_entry *ca_e; store = X509_STORE_new(); if (X509_STORE_load_locations(store, path, NULL)) { - ca_e = ssl_store_create_cafile_entry(path, store); + ca_e = ssl_store_create_cafile_entry(path, store, type); if (ca_e) { ebst_insert(&cafile_tree, &ca_e->node); } @@ -2242,7 +2243,7 @@ static int cli_parse_set_cafile(char **args, char *payload, struct appctx *appct ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_cafile_entry); /* Create a new cafile_entry without adding it to the cafile tree. */ - appctx->ctx.ssl.new_cafile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL); + appctx->ctx.ssl.new_cafile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL, CAFILE_CERT); if (!appctx->ctx.ssl.new_cafile_entry) { memprintf(&err, "%sCannot allocate memory!\n", err ? err : "");