mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-09 16:47:18 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Chain instances in ca-file entries

Browse Source 
In order for crl-file hot update to be possible, we need to add an extra
link between the CA file tree entries that hold Certificate Revocation
Lists and the instances that use them. This way we will be able to
rebuild each instance upon CRL modification.
This mechanism is similar to what was made for the actual CA file update
since both the CA files and the CRL files are stored in the same CA file
tree.
This commit is contained in:
Remi Tricot-Le Breton 2021-04-20 16:54:21 +02:00 committed by William Lallemand
parent 653a16769a
commit f81c70ceec
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/ssl_ckch.c
View File

@ -1302,20 +1302,27 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi
if (verify & SSL_VERIFY_PEER) { if (verify & SSL_VERIFY_PEER) {
struct cafile_entry *ca_file_entry = NULL; struct cafile_entry *ca_file_entry = NULL;
struct cafile_entry *ca_verify_file_entry = NULL; struct cafile_entry *ca_verify_file_entry = NULL;
struct cafile_entry *crl_file_entry = NULL;
if (srv) { if (srv) {
if (srv->ssl_ctx.ca_file) { if (srv->ssl_ctx.ca_file) {
ca_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.ca_file, 0); ca_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.ca_file, 0);
} }
if (srv->ssl_ctx.crl_file) {
crl_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.crl_file, 0);
}
} }
else { else {
char *ca_file = (ssl_conf && ssl_conf->ca_file) ? ssl_conf->ca_file : bind_conf->ssl_conf.ca_file; char *ca_file = (ssl_conf && ssl_conf->ca_file) ? ssl_conf->ca_file : bind_conf->ssl_conf.ca_file;
char *ca_verify_file = (ssl_conf && ssl_conf->ca_verify_file) ? ssl_conf->ca_verify_file : bind_conf->ssl_conf.ca_verify_file; char *ca_verify_file = (ssl_conf && ssl_conf->ca_verify_file) ? ssl_conf->ca_verify_file : bind_conf->ssl_conf.ca_verify_file;
char *crl_file = (ssl_conf && ssl_conf->crl_file) ? ssl_conf->crl_file : bind_conf->ssl_conf.crl_file;
if (ca_file) if (ca_file)
ca_file_entry = ssl_store_get_cafile_entry(ca_file, 0); ca_file_entry = ssl_store_get_cafile_entry(ca_file, 0);
if (ca_verify_file) if (ca_verify_file)
ca_verify_file_entry = ssl_store_get_cafile_entry(ca_verify_file, 0); ca_verify_file_entry = ssl_store_get_cafile_entry(ca_verify_file, 0);
if (crl_file)
crl_file_entry = ssl_store_get_cafile_entry(crl_file, 0);
} }
if (ca_file_entry) { if (ca_file_entry) {
@ -1331,6 +1338,12 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi
if (do_chain_inst_and_cafile(ca_verify_file_entry, ckch_inst)) if (do_chain_inst_and_cafile(ca_verify_file_entry, ckch_inst))
return; return;
} }
if (crl_file_entry) {
/* If we have a ckch instance that is not already in the
* cafile_entry's list, add it to it. */
if (do_chain_inst_and_cafile(crl_file_entry, ckch_inst))
return;
}
} }
} }