mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 05:41:26 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Add a cafile_entry type field

Browse Source 
The CA files and CRL files are stored in the same cafile_tree so this
patch adds a new field the the cafile_entry structure that specifies the
type of the entry. Since a ca-file can also have some CRL sections, the
type will be based on the option used to load the file and not on its
content (ca-file vs crl-file options).
This commit is contained in:
Remi Tricot-Le Breton 2021-04-16 17:59:23 +02:00 committed by William Lallemand
parent d5fd09d339
commit 0bb482436c
4 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/haproxy/ssl_ckch-t.h
View File

@ -114,6 +114,13 @@ struct ckch_inst {
}; };
/* Option through which a cafile_entry was created, either
* ca-file/ca-verify-file or crl-file. */
enum cafile_type {
CAFILE_CERT,
CAFILE_CRL
};
/* /*
* deduplicate cafile (and crlfile) * deduplicate cafile (and crlfile)
*/ */
@ -121,6 +128,7 @@ struct cafile_entry {
X509_STORE *ca_store; X509_STORE *ca_store;
STACK_OF(X509_NAME) *ca_list; STACK_OF(X509_NAME) *ca_list;
struct list ckch_inst_link; /* list of ckch_inst which use this CA file entry */ struct list ckch_inst_link; /* list of ckch_inst which use this CA file entry */
enum cafile_type type;
struct ebmb_node node; struct ebmb_node node;
char path[0]; char path[0];
}; };

4
include/haproxy/ssl_ckch.h
View File

@ -60,10 +60,10 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi
struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry); struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry);
X509_STORE* ssl_store_get0_locations_file(char *path); X509_STORE* ssl_store_get0_locations_file(char *path);
int ssl_store_add_uncommitted_cafile_entry(struct cafile_entry *entry); int ssl_store_add_uncommitted_cafile_entry(struct cafile_entry *entry);
struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store); struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type);
void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e); void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf); int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf);
int ssl_store_load_locations_file(char *path, int create_if_none); int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
#endif /* USE_OPENSSL */ #endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_CRTLIST_H */ #endif /* _HAPROXY_SSL_CRTLIST_H */

8
src/cfgparse-ssl.c
View File

@ -543,7 +543,7 @@ static int ssl_bind_parse_ca_file_common(char **args, int cur_arg, char **ca_fil
else else
memprintf(ca_file_p, "%s", args[cur_arg + 1]); memprintf(ca_file_p, "%s", args[cur_arg + 1]);
if (!ssl_store_load_locations_file(*ca_file_p, !from_cli)) { if (!ssl_store_load_locations_file(*ca_file_p, !from_cli, CAFILE_CERT)) {
memprintf(err, "'%s' : unable to load %s", args[cur_arg], *ca_file_p); memprintf(err, "'%s' : unable to load %s", args[cur_arg], *ca_file_p);
return ERR_ALERT | ERR_FATAL; return ERR_ALERT | ERR_FATAL;
} }
@ -689,7 +689,7 @@ static int ssl_bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, s
else else
memprintf(&conf->crl_file, "%s", args[cur_arg + 1]); memprintf(&conf->crl_file, "%s", args[cur_arg + 1]);
if (!ssl_store_load_locations_file(conf->crl_file, !from_cli)) { if (!ssl_store_load_locations_file(conf->crl_file, !from_cli, CAFILE_CRL)) {
memprintf(err, "'%s' : unable to load %s", args[cur_arg], conf->crl_file); memprintf(err, "'%s' : unable to load %s", args[cur_arg], conf->crl_file);
return ERR_ALERT | ERR_FATAL; return ERR_ALERT | ERR_FATAL;
} }
@ -1336,7 +1336,7 @@ static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct
else else
memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]); memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);
if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1)) { if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.ca_file); memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.ca_file);
return ERR_ALERT | ERR_FATAL; return ERR_ALERT | ERR_FATAL;
} }
@ -1432,7 +1432,7 @@ static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struc
else else
memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]); memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);
if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, 1)) { if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, 1, CAFILE_CRL)) {
memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.crl_file); memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.crl_file);
return ERR_ALERT | ERR_FATAL; return ERR_ALERT | ERR_FATAL;
} }

9
src/ssl_ckch.c
View File

@ -985,7 +985,7 @@ X509_STORE* ssl_store_get0_locations_file(char *path)
} }
/* Create a cafile_entry object, without adding it to the cafile_tree. */ /* Create a cafile_entry object, without adding it to the cafile_tree. */
struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store) struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type)
{ {
struct cafile_entry *ca_e; struct cafile_entry *ca_e;
int pathlen; int pathlen;
@ -996,6 +996,7 @@ struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store
if (ca_e) { if (ca_e) {
memcpy(ca_e->path, path, pathlen + 1); memcpy(ca_e->path, path, pathlen + 1);
ca_e->ca_store = store; ca_e->ca_store = store;
ca_e->type = type;
LIST_INIT(&ca_e->ckch_inst_link); LIST_INIT(&ca_e->ckch_inst_link);
} }
return ca_e; return ca_e;
@ -1077,7 +1078,7 @@ int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf)
return retval; return retval;
} }
int ssl_store_load_locations_file(char *path, int create_if_none) int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
{ {
X509_STORE *store = ssl_store_get0_locations_file(path); X509_STORE *store = ssl_store_get0_locations_file(path);
@ -1088,7 +1089,7 @@ int ssl_store_load_locations_file(char *path, int create_if_none)
struct cafile_entry *ca_e; struct cafile_entry *ca_e;
store = X509_STORE_new(); store = X509_STORE_new();
if (X509_STORE_load_locations(store, path, NULL)) { if (X509_STORE_load_locations(store, path, NULL)) {
ca_e = ssl_store_create_cafile_entry(path, store); ca_e = ssl_store_create_cafile_entry(path, store, type);
if (ca_e) { if (ca_e) {
ebst_insert(&cafile_tree, &ca_e->node); ebst_insert(&cafile_tree, &ca_e->node);
} }
@ -2242,7 +2243,7 @@ static int cli_parse_set_cafile(char **args, char *payload, struct appctx *appct
ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_cafile_entry); ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_cafile_entry);
/* Create a new cafile_entry without adding it to the cafile tree. */ /* Create a new cafile_entry without adding it to the cafile tree. */
appctx->ctx.ssl.new_cafile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL); appctx->ctx.ssl.new_cafile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL, CAFILE_CERT);
if (!appctx->ctx.ssl.new_cafile_entry) { if (!appctx->ctx.ssl.new_cafile_entry) {
memprintf(&err, "%sCannot allocate memory!\n", memprintf(&err, "%sCannot allocate memory!\n",
err ? err : ""); err ? err : "");