mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 06:41:32 +02:00
Code Issues Projects Releases Wiki Activity

CLEANUP: ssl/cli: use a local context for "set ssl crlfile"

Browse Source 
Just like for "set ssl cafile", the command doesn't really need this
context which doesn't outlive the parsing function but it was there
for a purpose so it's maintained. Only 3 fields were used from the
appctx's ssl context: old_crlfile_entry, new_crlfile_entry, and path.
These ones were reinstantiated into a new "set_crlfile_ctx" struct.
It could have been merged with the one used in "set cafile" if the
fields had been renamed since cafile and crlfile are of the same
type (probably one of them ought to be renamed?).

None of these fields could be dropped as they are still shared with
other commands.
This commit is contained in:
Willy Tarreau 2022-05-04 20:33:03 +02:00
parent a37693f7d8
commit a06b9a5ccf
1 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/ssl_ckch.c
View File

@ -111,6 +111,12 @@ struct set_cafile_ctx {
char *path; char *path;
}; };
/* CLI context used by "set crl-file" */
struct set_crlfile_ctx {
struct cafile_entry *old_crlfile_entry;
struct cafile_entry *new_crlfile_entry;
char *path;
};
/******************** cert_key_and_chain functions ************************* /******************** cert_key_and_chain functions *************************
@ -3304,6 +3310,7 @@ error:
/* Parsing function of `set ssl crl-file` */ /* Parsing function of `set ssl crl-file` */
static int cli_parse_set_crlfile(char **args, char *payload, struct appctx *appctx, void *private) static int cli_parse_set_crlfile(char **args, char *payload, struct appctx *appctx, void *private)
{ {
struct set_crlfile_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
char *err = NULL; char *err = NULL;
int errcode = 0; int errcode = 0;
struct buffer *buf; struct buffer *buf;
@ -3331,8 +3338,8 @@ static int cli_parse_set_crlfile(char **args, char *payload, struct appctx *appc
goto end; goto end;
} }
appctx->ctx.ssl.old_crlfile_entry = NULL; ctx->old_crlfile_entry = NULL;
appctx->ctx.ssl.new_crlfile_entry = NULL; ctx->new_crlfile_entry = NULL;
/* if there is an ongoing transaction */ /* if there is an ongoing transaction */
if (crlfile_transaction.path) { if (crlfile_transaction.path) {
@ -3342,43 +3349,43 @@ static int cli_parse_set_crlfile(char **args, char *payload, struct appctx *appc
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
appctx->ctx.ssl.old_crlfile_entry = crlfile_transaction.old_crlfile_entry; ctx->old_crlfile_entry = crlfile_transaction.old_crlfile_entry;
} }
else { else {
/* lookup for the certificate in the tree */ /* lookup for the certificate in the tree */
appctx->ctx.ssl.old_crlfile_entry = ssl_store_get_cafile_entry(buf->area, 0); ctx->old_crlfile_entry = ssl_store_get_cafile_entry(buf->area, 0);
} }
if (!appctx->ctx.ssl.old_crlfile_entry) { if (!ctx->old_crlfile_entry) {
memprintf(&err, "%sCan't replace a CRL file which is not referenced by the configuration!\n", memprintf(&err, "%sCan't replace a CRL file which is not referenced by the configuration!\n",
err ? err : ""); err ? err : "");
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
if (!appctx->ctx.ssl.path) { if (!ctx->path) {
/* this is a new transaction, set the path of the transaction */ /* this is a new transaction, set the path of the transaction */
appctx->ctx.ssl.path = strdup(appctx->ctx.ssl.old_crlfile_entry->path); ctx->path = strdup(ctx->old_crlfile_entry->path);
if (!appctx->ctx.ssl.path) { if (!ctx->path) {
memprintf(&err, "%sCan't allocate memory\n", err ? err : ""); memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
} }
if (appctx->ctx.ssl.new_crlfile_entry) if (ctx->new_crlfile_entry)
ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_crlfile_entry); ssl_store_delete_cafile_entry(ctx->new_crlfile_entry);
/* Create a new cafile_entry without adding it to the cafile tree. */ /* Create a new cafile_entry without adding it to the cafile tree. */
appctx->ctx.ssl.new_crlfile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL, CAFILE_CRL); ctx->new_crlfile_entry = ssl_store_create_cafile_entry(ctx->path, NULL, CAFILE_CRL);
if (!appctx->ctx.ssl.new_crlfile_entry) { if (!ctx->new_crlfile_entry) {
memprintf(&err, "%sCannot allocate memory!\n", err ? err : ""); memprintf(&err, "%sCannot allocate memory!\n", err ? err : "");
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
/* Fill the new entry with the new CRL. */ /* Fill the new entry with the new CRL. */
if (ssl_store_load_ca_from_buf(appctx->ctx.ssl.new_crlfile_entry, payload)) { if (ssl_store_load_ca_from_buf(ctx->new_crlfile_entry, payload)) {
memprintf(&err, "%sInvalid payload\n", err ? err : ""); memprintf(&err, "%sInvalid payload\n", err ? err : "");
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
@ -3388,8 +3395,8 @@ static int cli_parse_set_crlfile(char **args, char *payload, struct appctx *appc
/* if there wasn't a transaction, update the old CA */ /* if there wasn't a transaction, update the old CA */
if (!crlfile_transaction.old_crlfile_entry) { if (!crlfile_transaction.old_crlfile_entry) {
crlfile_transaction.old_crlfile_entry = appctx->ctx.ssl.old_crlfile_entry; crlfile_transaction.old_crlfile_entry = ctx->old_crlfile_entry;
crlfile_transaction.path = appctx->ctx.ssl.path; crlfile_transaction.path = ctx->path;
err = memprintf(&err, "transaction created for CA %s!\n", crlfile_transaction.path); err = memprintf(&err, "transaction created for CA %s!\n", crlfile_transaction.path);
} else { } else {
err = memprintf(&err, "transaction updated for CA %s!\n", crlfile_transaction.path); err = memprintf(&err, "transaction updated for CA %s!\n", crlfile_transaction.path);
@ -3398,7 +3405,7 @@ static int cli_parse_set_crlfile(char **args, char *payload, struct appctx *appc
/* free the previous CRL file if there was a transaction */ /* free the previous CRL file if there was a transaction */
ssl_store_delete_cafile_entry(crlfile_transaction.new_crlfile_entry); ssl_store_delete_cafile_entry(crlfile_transaction.new_crlfile_entry);
crlfile_transaction.new_crlfile_entry = appctx->ctx.ssl.new_crlfile_entry; crlfile_transaction.new_crlfile_entry = ctx->new_crlfile_entry;
/* creates the SNI ctxs later in the IO handler */ /* creates the SNI ctxs later in the IO handler */
@ -3406,12 +3413,10 @@ end:
free_trash_chunk(buf); free_trash_chunk(buf);
if (errcode & ERR_CODE) { if (errcode & ERR_CODE) {
ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_crlfile_entry); ssl_store_delete_cafile_entry(ctx->new_crlfile_entry);
appctx->ctx.ssl.new_crlfile_entry = NULL; ctx->new_crlfile_entry = NULL;
appctx->ctx.ssl.old_crlfile_entry = NULL; ctx->old_crlfile_entry = NULL;
ha_free(&ctx->path);
ha_free(&appctx->ctx.ssl.path);
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock); HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
return cli_dynerr(appctx, memprintf(&err, "%sCan't update %s!\n", err ? err : "", args[3])); return cli_dynerr(appctx, memprintf(&err, "%sCan't update %s!\n", err ? err : "", args[3]));
} else { } else {