From: William Lallemand Date: Mon, 13 Feb 2023 14:24:01 +0000 (+0100) Subject: BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords X-Git-Tag: v2.8-dev5~198 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=44979ad680c1abcb33b2a2b2308bd3164f1f9465;p=thirdparty%2Fhaproxy.git BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind accept-netscaler-cip +1 | bind accept-proxy | - bind allow-0rtt | - bind alpn +1 | bind backlog +1 | - bind ca-file +1 | - bind ca-ignore-err +1 | - bind ca-sign-file +1 | - bind ca-sign-pass +1 | - bind ca-verify-file +1 | - bind ciphers +1 | - bind ciphersuites +1 | - bind crl-file +1 | - bind crt +1 | - bind crt-ignore-err +1 | - bind crt-list +1 | - bind curves +1 | bind defer-accept | - bind ecdhe +1 | bind expose-fd +1 | - bind force-sslv3 | - bind force-tlsv10 | - bind force-tlsv11 | - bind force-tlsv12 | - bind force-tlsv13 | - bind generate-certificates | bind gid +1 | bind group +1 | bind id +1 | @@ -225,48 +204,52 @@ listen | bind name +1 | bind namespace +1 | bind nice +1 | - bind no-ca-names | - bind no-sslv3 | - bind no-tls-tickets | - bind no-tlsv10 | - bind no-tlsv11 | - bind no-tlsv12 | - bind no-tlsv13 | - bind npn +1 | - bind prefer-client-ciphers | bind process +1 | bind proto +1 | bind severity-output +1 | bind shards +1 | - bind ssl | - bind ssl-max-ver +1 | - bind ssl-min-ver +1 | - bind strict-sni | bind tcp-ut +1 | bind tfo | bind thread +1 | - bind tls-ticket-keys +1 | bind transparent | bind uid +1 | bind user +1 | bind v4v6 | bind v6only | - bind verify +1 | bind ssl allow-0rtt | bind ssl alpn +1 | bind ssl ca-file +1 | + bind ssl ca-ignore-err +1 | + bind ssl ca-sign-file +1 | + bind ssl ca-sign-pass +1 | bind ssl ca-verify-file +1 | bind ssl ciphers +1 | bind ssl ciphersuites +1 | bind ssl crl-file +1 | + bind ssl crt +1 | + bind ssl crt-ignore-err +1 | + bind ssl crt-list +1 | bind ssl curves +1 | bind ssl ecdhe +1 | + bind ssl force-sslv3 | + bind ssl force-tlsv10 | + bind ssl force-tlsv11 | + bind ssl force-tlsv12 | + bind ssl force-tlsv13 | + bind ssl generate-certificates | bind ssl no-ca-names | + bind ssl no-sslv3 | + bind ssl no-tls-tickets | + bind ssl no-tlsv10 | + bind ssl no-tlsv11 | + bind ssl no-tlsv12 | + bind ssl no-tlsv13 | bind ssl npn +1 | - bind ssl ocsp-update +1 | + bind ssl prefer-client-ciphers | bind ssl ssl-max-ver +1 | bind ssl ssl-min-ver +1 | + bind ssl strict-sni | + bind ssl tls-ticket-keys +1 | bind ssl verify +1 | server addr +1 | server agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @! [MASTER] | @ [MASTER] --- diff --git a/include/haproxy/cfgparse.h b/include/haproxy/cfgparse.h index b569b4dbc6..29937ff9bd 100644 --- a/include/haproxy/cfgparse.h +++ b/include/haproxy/cfgparse.h @@ -35,6 +35,7 @@ struct acl_cond; #define CFG_LISTEN 2 #define CFG_USERLIST 3 #define CFG_PEERS 4 +#define CFG_CRTLIST 5 /* various keyword modifiers */ enum kw_mod { diff --git a/src/cfgparse.c b/src/cfgparse.c index f4041157f6..06ee980972 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4715,7 +4715,8 @@ void cfg_restore_sections(struct list *backup_sections) /* dumps all registered keywords by section on stdout */ void cfg_dump_registered_keywords() { - const char* sect_names[] = { "", "global", "listen", "userlist", "peers", 0 }; + /* CFG_GLOBAL, CFG_LISTEN, CFG_USERLIST, CFG_PEERS, CFG_CRTLIST */ + const char* sect_names[] = { "", "global", "listen", "userlist", "peers", "crt-list", 0 }; int section; int index; @@ -4742,22 +4743,24 @@ void cfg_dump_registered_keywords() extern struct list tcp_req_conn_keywords, tcp_req_sess_keywords, tcp_req_cont_keywords, tcp_res_cont_keywords; extern struct bind_kw_list bind_keywords; - extern struct ssl_crtlist_kw ssl_crtlist_kws[] __maybe_unused; extern struct srv_kw_list srv_keywords; struct bind_kw_list *bkwl; struct srv_kw_list *skwl; const struct bind_kw *bkwp, *bkwn; const struct srv_kw *skwp, *skwn; - const struct ssl_crtlist_kw *sbkwp __maybe_unused, *sbkwn __maybe_unused; const struct cfg_opt *coptp, *coptn; + /* display the non-ssl keywords */ for (bkwn = bkwp = NULL;; bkwp = bkwn) { list_for_each_entry(bkwl, &bind_keywords.list, list) { - for (index = 0; bkwl->kw[index].kw != NULL; index++) + if (strcmp(bkwl->scope, "SSL") == 0) /* skip SSL keywords */ + continue; + for (index = 0; bkwl->kw[index].kw != NULL; index++) { if (strordered(bkwp ? bkwp->kw : NULL, bkwl->kw[index].kw, bkwn != bkwp ? bkwn->kw : NULL)) bkwn = &bkwl->kw[index]; + } } if (bkwn == bkwp) break; @@ -4767,24 +4770,31 @@ void cfg_dump_registered_keywords() else printf("\tbind %s +%d\n", bkwn->kw, bkwn->skip); } - #if defined(USE_OPENSSL) - for (sbkwn = sbkwp = NULL;; sbkwp = sbkwn) { - for (index = 0; ssl_crtlist_kws[index].kw != NULL; index++) { - if (strordered(sbkwp ? sbkwp->kw : NULL, - ssl_crtlist_kws[index].kw, - sbkwn != sbkwp ? sbkwn->kw : NULL)) - sbkwn = &ssl_crtlist_kws[index]; + /* displays the "ssl" keywords */ + for (bkwn = bkwp = NULL;; bkwp = bkwn) { + list_for_each_entry(bkwl, &bind_keywords.list, list) { + if (strcmp(bkwl->scope, "SSL") != 0) /* skip non-SSL keywords */ + continue; + for (index = 0; bkwl->kw[index].kw != NULL; index++) { + if (strordered(bkwp ? bkwp->kw : NULL, + bkwl->kw[index].kw, + bkwn != bkwp ? bkwn->kw : NULL)) + bkwn = &bkwl->kw[index]; + } } - if (sbkwn == sbkwp) + if (bkwn == bkwp) break; - if (!sbkwn->skip) - printf("\tbind ssl %s\n", sbkwn->kw); + + if (strcmp(bkwn->kw, "ssl") == 0) /* skip "bind ssl ssl" */ + continue; + + if (!bkwn->skip) + printf("\tbind ssl %s\n", bkwn->kw); else - printf("\tbind ssl %s +%d\n", sbkwn->kw, sbkwn->skip); + printf("\tbind ssl %s +%d\n", bkwn->kw, bkwn->skip); } #endif - for (skwn = skwp = NULL;; skwp = skwn) { list_for_each_entry(skwl, &srv_keywords.list, list) { for (index = 0; skwl->kw[index].kw != NULL; index++) @@ -4835,6 +4845,29 @@ void cfg_dump_registered_keywords() dump_act_rules(&http_res_keywords.list, "\thttp-response "); dump_act_rules(&http_after_res_keywords.list, "\thttp-after-response "); } + if (section == CFG_CRTLIST) { + /* displays the keyword available for the crt-lists */ + extern struct ssl_crtlist_kw ssl_crtlist_kws[] __maybe_unused; + const struct ssl_crtlist_kw *sbkwp __maybe_unused, *sbkwn __maybe_unused; + +#if defined(USE_OPENSSL) + for (sbkwn = sbkwp = NULL;; sbkwp = sbkwn) { + for (index = 0; ssl_crtlist_kws[index].kw != NULL; index++) { + if (strordered(sbkwp ? sbkwp->kw : NULL, + ssl_crtlist_kws[index].kw, + sbkwn != sbkwp ? sbkwn->kw : NULL)) + sbkwn = &ssl_crtlist_kws[index]; + } + if (sbkwn == sbkwp) + break; + if (!sbkwn->skip) + printf("\t%s\n", sbkwn->kw); + else + printf("\t%s +%d\n", sbkwn->kw, sbkwn->skip); + } +#endif + + } } }