MEDIUM: ssl: add extra_chain to ckch_data

The extra_chain member is a pointer to the 'issuers-chain-path' file
that completed the chain.

This is useful to get what chain file was used.

diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index 0e501e5565c902e70b10fed9a1a4eb68690027c1..27338331834671a8bee5b951b17d01fb4fe17b2e 100644 (file)
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -55,6 +55,7 @@ struct ckch_data {
        struct buffer *ocsp_response;
        X509 *ocsp_issuer;
        OCSP_CERTID *ocsp_cid;
+       struct issuer_chain *extra_chain; /* chain from 'issuers-chain-path' */
 };
 
 /* configuration for the ckch_store */

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 4fb119718c45df038b5b985eb4a56f027a80e00c..57a980cdb49f965d7787d05c70f3a42d146c26ac 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -580,6 +580,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d
        EVP_PKEY *key = NULL;
        HASSL_DH *dh = NULL;
        STACK_OF(X509) *chain = NULL;
+       struct issuer_chain *issuer_chain = NULL;
 
        if (buf) {
                /* reading from a buffer */
@@ -649,11 +650,9 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d
 
        /* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */
        if (chain == NULL) {
-               struct issuer_chain *issuer_chain;
                issuer_chain = ssl_get0_issuer_chain(cert);
-               if (issuer_chain) {
+               if (issuer_chain)
                        chain = X509_chain_up_ref(issuer_chain->chain);
-               }
        }
 
        ret = ERR_get_error();
@@ -684,6 +683,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d
        SWAP(data->dh, dh);
        SWAP(data->cert, cert);
        SWAP(data->chain, chain);
+       SWAP(data->extra_chain, issuer_chain);
 
        ret = 0;