MINOR: ssl: 'key-base' allows to load a 'key' from a specific path

The global 'key-base' keyword allows to read the 'key' parameter of a
crt-store load line using a path prefix.

This is the equivalent of the 'crt-base' keyword but for 'key'.

It only applies on crt-store.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 51aefb1faa780955152d450f530ee688dfdfd0ee..ecd4715ce97a14fcf8756215af548b81b0ff0ce6 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1278,6 +1278,7 @@ The following keywords are supported in the "global" section :
    - insecure-fork-wanted
    - insecure-setuid-wanted
    - issuers-chain-path
+   - key-base
    - localpeer
    - log
    - log-send-hostname
@@ -2017,6 +2018,11 @@ issuers-chain-path <dir>
   "issuers-chain-path" directory. All other certificates with the same issuer
   will share the chain in memory.
 
+key-base <dir>
+  Assigns a default directory to fetch SSL private keys from when a relative
+  path is used with "key" directives. Absolute locations specified prevail and
+  ignore "key-base". This option only works with a crt-store load line.
+
 limited-quic
   This setting must be used to explicitly enable the QUIC listener bindings when
   haproxy is compiled against a TLS/SSL stack without QUIC support, typically

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index 30e81e798b2d53f521c8fcef6aee03f74c83369e..ade1779856f4f5753ed38254d4334d5e13b9fdc8 100644 (file)
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -264,6 +264,7 @@ struct ssl_sock_ctx {
 
 struct global_ssl {
        char *crt_base;             /* base directory path for certificates */
+       char *key_base;             /* base directory path for private keys */
        char *ca_base;              /* base directory path for CAs and CRLs */
        char *issuers_chain_path;   /* from "issuers-chain-path" */
        int  skip_self_issued_ca;

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 0ba31d703faf5109881f123e989f2e81e2038ce5..467fbdad90dd463ba7f9b345ea8f40c11d0c8406 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -2093,16 +2093,23 @@ static int ssl_parse_default_server_options(char **args, int section_type, struc
        return 0;
 }
 
-/* parse the "ca-base" / "crt-base" keywords in global section.
+/* parse the "ca-base" / "crt-base" / "key-base" keywords in global section.
  * Returns <0 on alert, >0 on warning, 0 on success.
  */
-static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct proxy *curpx,
+static int ssl_parse_global_path_base(char **args, int section_type, struct proxy *curpx,
                                         const struct proxy *defpx, const char *file, int line,
                                         char **err)
 {
        char **target;
 
-       target = (args[0][1] == 'a') ? &global_ssl.ca_base : &global_ssl.crt_base;
+       if (args[0][1] == 'a')
+               target = &global_ssl.ca_base;
+       else if (args[0][1] == 'r')
+               target = &global_ssl.crt_base;
+       else if (args[0][1] == 'e')
+               target = &global_ssl.key_base;
+       else
+               return -1;
 
        if (too_many_args(1, args, err, NULL))
                return -1;
@@ -2387,8 +2394,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 INITCALL1(STG_REGISTER, srv_register_keywords, &srv_kws);
 
 static struct cfg_kw_list cfg_kws = {ILH, {
-       { CFG_GLOBAL, "ca-base",  ssl_parse_global_ca_crt_base },
-       { CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base },
+       { CFG_GLOBAL, "ca-base",  ssl_parse_global_path_base },
+       { CFG_GLOBAL, "crt-base", ssl_parse_global_path_base },
+       { CFG_GLOBAL, "key-base", ssl_parse_global_path_base },
        { CFG_GLOBAL, "issuers-chain-path", ssl_load_global_issuers_from_path },
        { CFG_GLOBAL, "maxsslconn", ssl_parse_global_int },
        { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 11ccb035097ecaf91f75b2520bbd3c551f5752b3..bd2ffe24f35cee04d5c4e62c3b1548cfcd457888 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -3998,7 +3998,7 @@ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
 
 struct ckch_conf_kws ckch_conf_kws[] = {
        { "crt",    offsetof(struct ckch_conf, crt),    PARSE_TYPE_STR, ssl_sock_load_pem_into_ckch,           &global_ssl.crt_base },
-       { "key",    offsetof(struct ckch_conf, key),    PARSE_TYPE_STR, ssl_sock_load_key_into_ckch,           &global_ssl.crt_base },
+       { "key",    offsetof(struct ckch_conf, key),    PARSE_TYPE_STR, ssl_sock_load_key_into_ckch,           &global_ssl.key_base },
        { "ocsp",   offsetof(struct ckch_conf, ocsp),   PARSE_TYPE_STR, ssl_sock_load_ocsp_response_from_file, &global_ssl.crt_base },
        { "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ssl_sock_load_issuer_file_into_ckch,   &global_ssl.crt_base },
        { "sctl",   offsetof(struct ckch_conf, sctl),   PARSE_TYPE_STR, ssl_sock_load_sctl_from_file,          &global_ssl.crt_base },