From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 9 Mar 2020 15:56:39 +0000 (+0100)
Subject: BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters
X-Git-Tag: v2.2-dev5~98
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6763016866721a5c27b6a481783490e3c1692f8b;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters

Since commit 244b070 ("MINOR: ssl/cli: support crt-list filters"),
HAProxy generates a list of filters based on the sni_ctx in memory.
However it's not always relevant, sometimes no filters were configured
and the CN/SAN in the new certificate are not the same.

This patch fixes the issue by using a flag filters in the ckch_inst, so
we are able to know if there were filters or not. In the late case it
uses the CN/SAN of the new certificate to generate the sni_ctx.

note: filters are still only used in the crt-list atm.
---

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index 716be8936c..b0104486d4 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -129,6 +129,7 @@ struct ckch_inst {
 	struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
 	struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
 	struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
+	unsigned int filters:1; /* using sni filters ? */
 	unsigned int is_default:1;      /* This instance is used as the default ctx for this bind_conf */
 	/* space for more flag there */
 	struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index eeae7c4f45..ef3091e3c3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4188,6 +4188,7 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c
 	ckch_inst->bind_conf = bind_conf;
 	ckch_inst->ssl_conf = ssl_conf;
 	ckch_inst->ckch_store = ckchs;
+	ckch_inst->filters = !!fcount;
 end:
 
 	if (names)
@@ -4377,6 +4378,7 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs,
 	ckch_inst->bind_conf = bind_conf;
 	ckch_inst->ssl_conf = ssl_conf;
 	ckch_inst->ckch_store = ckchs;
+	ckch_inst->filters = !!fcount;
 
 	*ckchi = ckch_inst;
 	return errcode;
@@ -11006,10 +11008,11 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 						appctx->ctx.ssl.next_ckchi = ckchi;
 						goto yield;
 					}
-
-					errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
-					if (errcode & ERR_CODE)
-						goto error;
+					if (ckchi->filters) {
+						errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
+						if (errcode & ERR_CODE)
+							goto error;
+					}
 
 					if (new_ckchs->multi)
 						errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);