In commit
55e9e9591 ("MEDIUM: ssl: temporarily load files by detecting
their presence in crt-store"), ssl_sock_load_pem_into_ckch() was
replaced by ssl_sock_load_files_into_ckch() in the crt-store loading.
But the side effect was that we always try to autodetect, and this is
not what we want. This patch reverse this, and add specific code in the
crt-list loading, so we could autodetect in crt-list like it was done
before, but still try to load files when a crt-store filename keyword is
specified.
Example:
These crt-list lines won't autodetect files:
foobar.crt [key foobar.key issuer foobar.issuer ocsp-update on] *.foo.bar
foobar.crt [key foobar.key] *.foo.bar
These crt-list lines will autodect files:
foobar.pem [ocsp-update on] *.foo.bar
foobar.pem
extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);
/* ckch_conf keyword loading */
-static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_files_into_ckch(value, d, err); }
+static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); }
static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); }
static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); }
static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); }
-#REGTEST_TYPE=broken
+#REGTEST_TYPE=devel
varnishtest "Test the crt-store section"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
{
struct ckch_store *ckchs;
int cfgerr = ERR_NONE;
+ char *tmpcrt = conf->crt;
ckchs = ckch_store_new(name);
if (!ckchs) {
goto end;
}
+ /* this is done for retro-compatibility. When no "filename" crt-store
+ * options were configured in a crt-list, try to load the files by
+ * auto-detecting them. */
+ if ((conf->used == CKCH_CONF_SET_EMPTY || conf->used == CKCH_CONF_SET_CRTLIST) &&
+ (!conf->key && !conf->ocsp && !conf->issuer && !conf->sctl)) {
+ cfgerr = ssl_sock_load_files_into_ckch(conf->crt, ckchs->data, err);
+ if (cfgerr & ERR_FATAL)
+ goto end;
+ /* set conf->crt to NULL so it's not erased */
+ conf->crt = NULL;
+ }
+
+ /* load files using the ckch_conf */
cfgerr = ckch_store_load_files(conf, ckchs, 0, err);
if (cfgerr & ERR_FATAL)
goto end;
+ conf->crt = tmpcrt;
+
/* insert into the ckchs tree */
memcpy(ckchs->path, name, strlen(name) + 1);
ebst_insert(&ckchs_tree, &ckchs->node);
if (ckchs == NULL) {
if (stat(crt_path, &buf) == 0) {
found++;
- if (cc.used) {
- free(cc.crt);
- cc.crt = strdup(crt_path);
- ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err);
- } else {
- ckchs = ckch_store_new_load_files_path(crt_path, err);
- }
+ free(cc.crt);
+ cc.crt = strdup(crt_path);
+ ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err);
if (ckchs == NULL) {
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
projects / thirdparty / haproxy.git / commitdiff
