mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-10 09:07:02 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: ssl: add extra_chain to ckch_data

Browse Source 
The extra_chain member is a pointer to the 'issuers-chain-path' file
that completed the chain.

This is useful to get what chain file was used.
This commit is contained in:
William Lallemand 2024-07-17 13:32:43 +02:00
parent f3dfd95aa2
commit 344c3ce8fc
2 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/ssl_ckch-t.h
View File

@ -55,6 +55,7 @@ struct ckch_data {
struct buffer *ocsp_response; struct buffer *ocsp_response;
X509 *ocsp_issuer; X509 *ocsp_issuer;
OCSP_CERTID *ocsp_cid; OCSP_CERTID *ocsp_cid;
struct issuer_chain *extra_chain; /* chain from 'issuers-chain-path' */
}; };
/* configuration for the ckch_store */ /* configuration for the ckch_store */

6
src/ssl_ckch.c
View File

@ -580,6 +580,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d
EVP_PKEY *key = NULL; EVP_PKEY *key = NULL;
HASSL_DH *dh = NULL; HASSL_DH *dh = NULL;
STACK_OF(X509) *chain = NULL; STACK_OF(X509) *chain = NULL;
struct issuer_chain *issuer_chain = NULL;
if (buf) { if (buf) {
/* reading from a buffer */ /* reading from a buffer */
@ -649,12 +650,10 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d
/* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */ /* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */
if (chain == NULL) { if (chain == NULL) {
struct issuer_chain *issuer_chain;
issuer_chain = ssl_get0_issuer_chain(cert); issuer_chain = ssl_get0_issuer_chain(cert);
if (issuer_chain) { if (issuer_chain)
chain = X509_chain_up_ref(issuer_chain->chain); chain = X509_chain_up_ref(issuer_chain->chain);
} }
}
ret = ERR_get_error(); ret = ERR_get_error();
if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) { if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) {
@ -684,6 +683,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d
SWAP(data->dh, dh); SWAP(data->dh, dh);
SWAP(data->cert, cert); SWAP(data->cert, cert);
SWAP(data->chain, chain); SWAP(data->chain, chain);
SWAP(data->extra_chain, issuer_chain);
ret = 0; ret = 0;