mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: merge ssl_sock_load_cert_file() and ssl_sock_load_cert_chain_file()

Browse Source 
This commit merges the function ssl_sock_load_cert_file() and
ssl_sock_load_cert_chain_file().

The goal is to refactor the SSL code and use the cert_key_and_chain
struct to load everything.
This commit is contained in:
William Lallemand 2019-05-15 15:33:54 +02:00 committed by William Lallemand
parent 61ed7797f6
commit c940207d39
1 changed files with 32 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
src/ssl_sock.c
View File

@ -3314,15 +3314,13 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
#endif /* #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL: Support for loading multiple certs into a single SSL_CTX */ #endif /* #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL: Support for loading multiple certs into a single SSL_CTX */
/* Loads a certificate key and CA chain from a file. Returns 0 on error, -1 if static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
* an early error happens and the caller must call SSL_CTX_free() by itelf. char **sni_filter, int fcount, char **err)
*/
static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct bind_conf *s,
struct ssl_bind_conf *ssl_conf, char **sni_filter, int fcount)
{ {
SSL_CTX *ctx;
BIO *in; BIO *in;
X509 *x = NULL, *ca; X509 *x = NULL, *ca;
int i, err; int i;
int ret = -1; int ret = -1;
int order = 0; int order = 0;
X509_NAME *xname; X509_NAME *xname;
@ -3331,16 +3329,29 @@ static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct
void *passwd_cb_userdata; void *passwd_cb_userdata;
EVP_PKEY *pkey; EVP_PKEY *pkey;
struct pkey_info kinfo = { .sig = TLSEXT_signature_anonymous, .bits = 0 }; struct pkey_info kinfo = { .sig = TLSEXT_signature_anonymous, .bits = 0 };
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
STACK_OF(GENERAL_NAME) *names; STACK_OF(GENERAL_NAME) *names;
#endif #endif
ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
err && *err ? *err : "", path);
return 1;
}
if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
err && *err ? *err : "", path);
SSL_CTX_free(ctx);
return 1;
}
in = BIO_new(BIO_s_file()); in = BIO_new(BIO_s_file());
if (in == NULL) if (in == NULL)
goto end; goto end;
if (BIO_read_filename(in, file) <= 0) if (BIO_read_filename(in, path) <= 0)
goto end; goto end;
@ -3370,7 +3381,7 @@ static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct
if (fcount) { if (fcount) {
while (fcount--) while (fcount--)
order = ssl_sock_add_cert_sni(ctx, s, ssl_conf, kinfo, sni_filter[fcount], order); order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, sni_filter[fcount], order);
} }
else { else {
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
@ -3380,7 +3391,7 @@ static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i); GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
if (name->type == GEN_DNS) { if (name->type == GEN_DNS) {
if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) { if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
order = ssl_sock_add_cert_sni(ctx, s, ssl_conf, kinfo, str, order); order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order);
OPENSSL_free(str); OPENSSL_free(str);
} }
} }
@ -3396,7 +3407,7 @@ static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct
value = X509_NAME_ENTRY_get_data(entry); value = X509_NAME_ENTRY_get_data(entry);
if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) { if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
order = ssl_sock_add_cert_sni(ctx, s, ssl_conf, kinfo, str, order); order = ssl_sock_add_cert_sni(ctx, bind_conf, ssl_conf, kinfo, str, order);
OPENSSL_free(str); OPENSSL_free(str);
} }
} }
@ -3422,52 +3433,13 @@ static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct
} }
} }
err = ERR_get_error(); i = ERR_get_error();
if (!err || (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { if (!i || (ERR_GET_LIB(i) == ERR_LIB_PEM && ERR_GET_REASON(i) == PEM_R_NO_START_LINE)) {
/* we successfully reached the last cert in the file */ /* we successfully reached the last cert in the file */
ret = 1; ret = 1;
} }
ERR_clear_error(); ERR_clear_error();
end:
if (x)
X509_free(x);
if (in)
BIO_free(in);
return ret;
}
static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
char **sni_filter, int fcount, char **err)
{
int ret;
SSL_CTX *ctx;
ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
err && *err ? *err : "", path);
return 1;
}
if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
err && *err ? *err : "", path);
SSL_CTX_free(ctx);
return 1;
}
ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, ssl_conf, sni_filter, fcount);
if (ret <= 0) {
memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
err && *err ? *err : "", path);
if (ret < 0) /* serious error, must do that ourselves */
SSL_CTX_free(ctx);
return 1;
}
if (SSL_CTX_check_private_key(ctx) <= 0) { if (SSL_CTX_check_private_key(ctx) <= 0) {
memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n", memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
@ -3530,6 +3502,14 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
} }
return 0; return 0;
end:
if (x)
X509_free(x);
if (in)
BIO_free(in);
return ret;
} }
int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err) int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)