From: William Lallemand <wlallemand@haproxy.org>
Date: Mon, 9 May 2022 07:29:00 +0000 (+0200)
Subject: MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
X-Git-Tag: v2.6-dev10~74
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e4b93eb947362da8509ce28ace622684db62968e;p=thirdparty%2Fhaproxy.git

MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file

Ignore the files starting with a dot when trying to load a directory
with the "ca-file directive".
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b9e6e8067b..f4aba096d9 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13764,7 +13764,7 @@ ca-file <cafile>
   designates a PEM file from which to load CA certificates used to verify
   client's certificate. It is possible to load a directory containing multiple
   CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and
-  .crl" available in the directory.
+  .crl" available in the directory, files starting with a dot are ignored.
 
 ca-ignore-err [all|<errorID>,...]
   This setting is only available when support for OpenSSL was built in.
@@ -14552,7 +14552,7 @@ ca-file <cafile>
   designates a PEM file from which to load CA certificates used to verify
   server's certificate. It is possible to load a directory containing multiple
   CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and
-  .crl" available in the directory.
+  .crl" available in the directory, files starting with a dot are ignored.
 
   In order to use the trusted CAs of your system, the "@system-ca" parameter
   could be used in place of the cafile. The location of this directory could be
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index fd36545edc..a2810cb158 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1216,13 +1216,15 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 				 * been loaded in an hashed directory loaded by
 				 * X509_LOOKUP_hash_dir, so according to "man 1
 				 * c_rehash", we should load  ".pem", ".crt",
-				 * ".cer", or ".crl"
+				 * ".cer", or ".crl". Files starting with a dot
+				 * are ignored.
 				 */
 				end = strrchr(de->d_name, '.');
-				if (!end || (strcmp(end, ".pem") != 0 &&
-				             strcmp(end, ".crt") != 0 &&
-				             strcmp(end, ".cer") != 0 &&
-				             strcmp(end, ".crl") != 0)) {
+				if (!end || de->d_name[0] == '.' ||
+				    (strcmp(end, ".pem") != 0 &&
+				     strcmp(end, ".crt") != 0 &&
+				     strcmp(end, ".cer") != 0 &&
+				     strcmp(end, ".crl") != 0)) {
 					free(de);
 					continue;
 				}