From: William Lallemand Date: Thu, 10 Oct 2019 13:16:44 +0000 (+0200) Subject: MINOR: ssl: load the sctl in/from the ckch X-Git-Tag: v2.1-dev3~87 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a17f4116d5eb6b843dcacc7ab017b60ceca1946a;p=thirdparty%2Fhaproxy.git MINOR: ssl: load the sctl in/from the ckch Don't try to load the file containing the sctl each time we generate a SSL_CTX. The .sctl is now loaded in the struct cert_key_and_chain only once and then loaded from this structure when creating a SSL_CTX. Note that this now make possible the use of sctl with multi-cert bundles. --- diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h index dd30ed437d..6f06efd160 100644 --- a/include/types/ssl_sock.h +++ b/include/types/ssl_sock.h @@ -98,6 +98,7 @@ struct cert_key_and_chain { EVP_PKEY *key; STACK_OF(X509) *chain; DH *dh; + struct buffer *sctl; }; /* diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 29170aa461..bd1a6cca71 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1498,26 +1498,13 @@ int ssl_sock_sctl_parse_cbk(SSL *s, unsigned int ext_type, const unsigned char * return 1; } -static int ssl_sock_load_sctl(SSL_CTX *ctx, const char *cert_path) +static int ssl_sock_load_sctl(SSL_CTX *ctx, struct buffer *sctl) { - char sctl_path[MAXPATHLEN+1]; int ret = -1; - struct stat st; - struct buffer *sctl = NULL; - - snprintf(sctl_path, MAXPATHLEN+1, "%s.sctl", cert_path); - - if (stat(sctl_path, &st)) - return 1; - if (ssl_sock_load_sctl_from_file(sctl_path, &sctl)) + if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL)) goto out; - if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL)) { - free(sctl); - goto out; - } - SSL_CTX_set_ex_data(ctx, sctl_ex_index, sctl); ret = 0; @@ -3028,6 +3015,24 @@ static int ssl_sock_load_crt_file_into_ckch(const char *path, BIO *buf, struct c goto end; } +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) + /* try to load the sctl file */ + { + char fp[MAXPATHLEN+1]; + struct stat st; + + snprintf(fp, MAXPATHLEN+1, "%s.sctl", path); + if (stat(fp, &st) == 0) { + if (ssl_sock_load_sctl_from_file(fp, &ckch->sctl)) { + memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", + *err ? *err : "", fp); + ret = 1; + goto end; + } + } + } +#endif + ret = 0; end: @@ -3098,6 +3103,16 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an } #endif +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) + if (sctl_ex_index >= 0 && ckch->sctl) { + if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) { + memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", + *err ? *err : "", path); + return 1; + } + } +#endif + return 0; } @@ -3627,17 +3642,6 @@ static struct ckch_inst *ckch_inst_new_load_store(const char *path, struct ckch_ ssl_sock_set_ocsp_response_from_file(ctx, path); #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) - if (sctl_ex_index >= 0) { - if (ssl_sock_load_sctl(ctx, path) < 0) { - if (err) - memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", - *err ? *err : "", path); - goto error; - } - } -#endif - #ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME if (bind_conf->default_ctx) { memprintf(err, "%sthis version of openssl cannot load multiple SSL certificates.\n",