mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-02-26 11:41:50 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: load the sctl in/from the ckch

Browse Source 
Don't try to load the file containing the sctl each time we generate a
SSL_CTX.

The .sctl is now loaded in the struct cert_key_and_chain only once and
then loaded from this structure when creating a SSL_CTX.

Note that this now make possible the use of sctl with multi-cert
bundles.
This commit is contained in:
William Lallemand 2019-10-10 15:16:44 +02:00 committed by William Lallemand
parent 150bfa84e3
commit a17f4116d5
2 changed files with 31 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/types/ssl_sock.h
View File

@ -98,6 +98,7 @@ struct cert_key_and_chain {
EVP_PKEY *key;
STACK_OF(X509) *chain;
DH *dh;
struct buffer *sctl;
};
/*

56
src/ssl_sock.c
View File

@ -1498,26 +1498,13 @@ int ssl_sock_sctl_parse_cbk(SSL *s, unsigned int ext_type, const unsigned char *
return 1;
}
static int ssl_sock_load_sctl(SSL_CTX *ctx, const char *cert_path)
static int ssl_sock_load_sctl(SSL_CTX *ctx, struct buffer *sctl)
{
char sctl_path[MAXPATHLEN+1];
int ret = -1;
struct stat st;
struct buffer *sctl = NULL;
snprintf(sctl_path, MAXPATHLEN+1, "%s.sctl", cert_path);
if (stat(sctl_path, &st))
return 1;
if (ssl_sock_load_sctl_from_file(sctl_path, &sctl))
if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL))
goto out;
if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL)) {
free(sctl);
goto out;
}
SSL_CTX_set_ex_data(ctx, sctl_ex_index, sctl);
ret = 0;
@ -3028,6 +3015,24 @@ static int ssl_sock_load_crt_file_into_ckch(const char *path, BIO *buf, struct c
goto end;
}
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
/* try to load the sctl file */
{
char fp[MAXPATHLEN+1];
struct stat st;
snprintf(fp, MAXPATHLEN+1, "%s.sctl", path);
if (stat(fp, &st) == 0) {
if (ssl_sock_load_sctl_from_file(fp, &ckch->sctl)) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
*err ? *err : "", fp);
ret = 1;
goto end;
}
}
}
#endif
ret = 0;
end:
@ -3098,6 +3103,16 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
}
#endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
if (sctl_ex_index >= 0 && ckch->sctl) {
if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
*err ? *err : "", path);
return 1;
}
}
#endif
return 0;
}
@ -3627,17 +3642,6 @@ static struct ckch_inst *ckch_inst_new_load_store(const char *path, struct ckch_
ssl_sock_set_ocsp_response_from_file(ctx, path);
#endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
if (sctl_ex_index >= 0) {
if (ssl_sock_load_sctl(ctx, path) < 0) {
if (err)
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
*err ? *err : "", path);
goto error;
}
}
#endif
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (bind_conf->default_ctx) {
memprintf(err, "%sthis version of openssl cannot load multiple SSL certificates.\n",