mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-25 07:41:36 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: store the filenames resulting from a lookup in ckch_conf

Browse Source 
With this patch, files resulting from a lookup (*.key, *.ocsp,
*.issuer etc) are now stored in the ckch_conf.

It allows to see the original filename from where it was loaded in "show
ssl cert <filename>"
This commit is contained in:
William Lallemand 2025-02-13 17:35:10 +01:00
parent a4d65c9cc8
commit 7034f2ca48
3 changed files with 51 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/ssl_ckch.h
View File

@ -27,7 +27,7 @@
/* cert_key_and_chain functions */
int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err);
int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, struct ckch_conf *conf, char **err);
int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *datackch , char **err);
void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data);

52
src/ssl_ckch.c
View File

@ -351,7 +351,7 @@ end:
* 0 on Success
* 1 on SSL Failure
*/
int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err)
int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, struct ckch_conf *conf, char **err)
{
struct buffer *fp = NULL;
int ret = 1;
@ -362,6 +362,20 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
goto end;
}
if (conf) {
conf->crt = strdup(path);
if (!conf->crt) {
memprintf(err, "%s out of memory.\n", err && *err ? *err : "");
goto end;
}
conf->key = strdup(path);
if (!conf->key) {
memprintf(err, "%s out of memory.\n", err && *err ? *err : "");
goto end;
}
}
fp = alloc_trash_chunk();
if (!fp) {
memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
@ -419,6 +433,14 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
goto end;
}
if (conf) {
free(conf->key);
conf->key = strdup(fp->area);
if (!conf->key) {
memprintf(err, "%s out of memory.\n", err && *err ? *err : "");
goto end;
}
}
/* remove the added extension */
*(fp->area + fp->data - strlen(".key")) = '\0';
b_sub(fp, strlen(".key"));
@ -451,6 +473,14 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
goto end;
}
}
if (conf) {
conf->sctl = strdup(fp->area);
if (!conf->sctl) {
memprintf(err, "%s out of memory.\n", err && *err ? *err : "");
goto end;
}
}
/* remove the added extension */
*(fp->area + fp->data - strlen(".sctl")) = '\0';
b_sub(fp, strlen(".sctl"));
@ -475,6 +505,14 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
goto end;
}
}
if (conf) {
conf->ocsp = strdup(fp->area);
if (!conf->ocsp) {
memprintf(err, "%s out of memory.\n", err && *err ? *err : "");
goto end;
}
}
/* remove the added extension */
*(fp->area + fp->data - strlen(".ocsp")) = '\0';
b_sub(fp, strlen(".ocsp"));
@ -505,6 +543,14 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
goto end;
}
}
if (conf) {
conf->issuer = strdup(fp->area);
if (!conf->issuer) {
memprintf(err, "%s out of memory.\n", err && *err ? *err : "");
goto end;
}
}
/* remove the added extension */
*(fp->area + fp->data - strlen(".issuer")) = '\0';
b_sub(fp, strlen(".issuer"));
@ -1029,7 +1075,7 @@ struct ckch_store *ckch_store_new_load_files_path(char *path, char **err)
goto end;
}
if (ssl_sock_load_files_into_ckch(path, ckchs->data, err) == 1)
if (ssl_sock_load_files_into_ckch(path, ckchs->data, &ckchs->conf, err) == 1)
goto end;
ckchs->conf.used = CKCH_CONF_SET_EMPTY;
@ -1066,7 +1112,7 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *
* auto-detecting them. */
if ((conf->used == CKCH_CONF_SET_EMPTY || conf->used == CKCH_CONF_SET_CRTLIST) &&
(!conf->key && !conf->ocsp && !conf->issuer && !conf->sctl)) {
cfgerr = ssl_sock_load_files_into_ckch(conf->crt, ckchs->data, err);
cfgerr = ssl_sock_load_files_into_ckch(conf->crt, ckchs->data, &ckchs->conf, err);
if (cfgerr & ERR_FATAL)
goto end;
/* set conf->crt to NULL so it's not erased */

2
src/ssl_gencert.c
View File

@ -415,7 +415,7 @@ ssl_sock_gencert_load_ca(struct bind_conf *bind_conf)
}
/* Try to parse file */
if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, data, &err)) {
if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, data, NULL, &err)) {
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain loading failed: %s\n",
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line, err);
free(err);