From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 20 Nov 2020 13:23:38 +0000 (+0100)
Subject: BUG/MEDIUM: ssl/crt-list: bundle support broken in crt-list
X-Git-Tag: v2.4-dev1~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86c2dd60f1a0b8332a6ffc6e95dca27470fe44f7;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl/crt-list: bundle support broken in crt-list

In issue #970 it was reported that the bundle loading does not work
anymore with crt-list.

This bug was introduced by 47da821 ("MEDIUM: ssl: emulates the
multi-cert bundles in the crtlist") which incorrectly uses "path"
instead of "crt_path" in the name resolution.

Must be backported to 2.3.
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 5f5942b93f..ac2d849f60 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -447,7 +447,6 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 	struct crtlist *newlist;
 	struct crtlist_entry *entry = NULL;
 	char thisline[CRT_LINESIZE];
-	char path[MAXPATHLEN+1];
 	FILE *f;
 	struct stat buf;
 	int linenum = 0;
@@ -470,6 +469,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 		char *end;
 		char *line = thisline;
 		char *crt_path;
+		char path[MAXPATHLEN+1];
 		struct ckch_store *ckchs;
 
 		if (missing_lf != -1) {
@@ -564,7 +564,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 					struct stat buf;
 					int ret;
 
-					ret = snprintf(fp, sizeof(fp), "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
+					ret = snprintf(fp, sizeof(fp), "%s.%s", crt_path, SSL_SOCK_KEYTYPE_NAMES[n]);
 					if (ret > sizeof(fp))
 						continue;