mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-30 15:21:04 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: deduplicate crl-file

Browse Source 
Load file for crl or ca-cert is realy done with the same function in OpenSSL,
via X509_STORE_load_locations. Accordingly, deduplicate crl-file and ca-file
can share the same function.
This commit is contained in:
Emmanuel Hocdet 2019-11-21 19:09:31 +01:00 committed by William Lallemand
parent 129d3285a5
commit b270e8166c
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/ssl_sock.c
View File

@ -364,7 +364,7 @@ static struct {
} ckchs_transaction; } ckchs_transaction;
/* /*
* deduplicate cafile * deduplicate cafile (and crlfile)
*/ */
struct cafile_entry { struct cafile_entry {
X509_STORE *ca_store; X509_STORE *ca_store;
@ -5054,7 +5054,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
if (crl_file) { if (crl_file) {
X509_STORE *store = SSL_CTX_get_cert_store(ctx); X509_STORE *store = SSL_CTX_get_cert_store(ctx);
if (!store || !X509_STORE_load_locations(store, crl_file, NULL)) { if (!ssl_set_cert_crl_file(store, crl_file)) {
memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n", memprintf(err, "%sProxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",
err && *err ? *err : "", curproxy->id, crl_file, bind_conf->arg, bind_conf->file, bind_conf->line); err && *err ? *err : "", curproxy->id, crl_file, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr |= ERR_ALERT | ERR_FATAL; cfgerr |= ERR_ALERT | ERR_FATAL;
@ -5557,7 +5557,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
if (srv->ssl_ctx.crl_file) { if (srv->ssl_ctx.crl_file) {
X509_STORE *store = SSL_CTX_get_cert_store(srv->ssl_ctx.ctx); X509_STORE *store = SSL_CTX_get_cert_store(srv->ssl_ctx.ctx);
if (!store || !X509_STORE_load_locations(store, srv->ssl_ctx.crl_file, NULL)) { if (!ssl_set_cert_crl_file(store, srv->ssl_ctx.crl_file)) {
ha_alert("Proxy '%s', server '%s' [%s:%d] unable to configure CRL file '%s'.\n", ha_alert("Proxy '%s', server '%s' [%s:%d] unable to configure CRL file '%s'.\n",
curproxy->id, srv->id, curproxy->id, srv->id,
srv->conf.file, srv->conf.line, srv->ssl_ctx.crl_file); srv->conf.file, srv->conf.line, srv->ssl_ctx.crl_file);
@ -8616,6 +8616,10 @@ static int ssl_bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, s
else else
memprintf(&conf->crl_file, "%s", args[cur_arg + 1]); memprintf(&conf->crl_file, "%s", args[cur_arg + 1]);
if (!ssl_store_load_locations_file(conf->crl_file)) {
memprintf(err, "'%s' : unable to load %s", args[cur_arg], conf->crl_file);
return ERR_ALERT | ERR_FATAL;
}
return 0; return 0;
#endif #endif
} }
@ -9336,6 +9340,10 @@ static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struc
else else
memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]); memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);
if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file)) {
memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.crl_file);
return ERR_ALERT | ERR_FATAL;
}
return 0; return 0;
#endif #endif
} }