From: William Lallemand Date: Wed, 17 Jul 2024 11:32:43 +0000 (+0200) Subject: MEDIUM: ssl: add extra_chain to ckch_data X-Git-Tag: v3.1-dev4~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=344c3ce8fc08daaed7b2828aed6ccd8c3da9ee1b;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: add extra_chain to ckch_data The extra_chain member is a pointer to the 'issuers-chain-path' file that completed the chain. This is useful to get what chain file was used. --- diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index 0e501e5565..2733833183 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -55,6 +55,7 @@ struct ckch_data { struct buffer *ocsp_response; X509 *ocsp_issuer; OCSP_CERTID *ocsp_cid; + struct issuer_chain *extra_chain; /* chain from 'issuers-chain-path' */ }; /* configuration for the ckch_store */ diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 4fb119718c..57a980cdb4 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -580,6 +580,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d EVP_PKEY *key = NULL; HASSL_DH *dh = NULL; STACK_OF(X509) *chain = NULL; + struct issuer_chain *issuer_chain = NULL; if (buf) { /* reading from a buffer */ @@ -649,11 +650,9 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d /* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */ if (chain == NULL) { - struct issuer_chain *issuer_chain; issuer_chain = ssl_get0_issuer_chain(cert); - if (issuer_chain) { + if (issuer_chain) chain = X509_chain_up_ref(issuer_chain->chain); - } } ret = ERR_get_error(); @@ -684,6 +683,7 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d SWAP(data->dh, dh); SWAP(data->cert, cert); SWAP(data->chain, chain); + SWAP(data->extra_chain, issuer_chain); ret = 0;