From: William Lallemand Date: Tue, 21 May 2024 14:50:59 +0000 (+0200) Subject: MEDIUM: ssl: don't load file by discovering them in crt-store X-Git-Tag: v3.0-dev13~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6657fd1085ef5c5430524a45c1cd4fff95fce5d;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: don't load file by discovering them in crt-store In commit 55e9e9591 ("MEDIUM: ssl: temporarily load files by detecting their presence in crt-store"), ssl_sock_load_pem_into_ckch() was replaced by ssl_sock_load_files_into_ckch() in the crt-store loading. But the side effect was that we always try to autodetect, and this is not what we want. This patch reverse this, and add specific code in the crt-list loading, so we could autodetect in crt-list like it was done before, but still try to load files when a crt-store filename keyword is specified. Example: These crt-list lines won't autodetect files: foobar.crt [key foobar.key issuer foobar.issuer ocsp-update on] *.foo.bar foobar.crt [key foobar.key] *.foo.bar These crt-list lines will autodect files: foobar.pem [ocsp-update on] *.foo.bar foobar.pem --- diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 37f9265827..e6356637f8 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -82,7 +82,7 @@ extern struct cert_exts cert_exts[]; extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err); /* ckch_conf keyword loading */ -static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_files_into_ckch(value, d, err); } +static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); } static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); } static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); } static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); } diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc index 3b61712d84..685183ed93 100644 --- a/reg-tests/ssl/crt_store.vtc +++ b/reg-tests/ssl/crt_store.vtc @@ -1,4 +1,4 @@ -#REGTEST_TYPE=broken +#REGTEST_TYPE=devel varnishtest "Test the crt-store section" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 9961e025bc..b178078d8a 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1024,6 +1024,7 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf * { struct ckch_store *ckchs; int cfgerr = ERR_NONE; + char *tmpcrt = conf->crt; ckchs = ckch_store_new(name); if (!ckchs) { @@ -1031,10 +1032,25 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf * goto end; } + /* this is done for retro-compatibility. When no "filename" crt-store + * options were configured in a crt-list, try to load the files by + * auto-detecting them. */ + if ((conf->used == CKCH_CONF_SET_EMPTY || conf->used == CKCH_CONF_SET_CRTLIST) && + (!conf->key && !conf->ocsp && !conf->issuer && !conf->sctl)) { + cfgerr = ssl_sock_load_files_into_ckch(conf->crt, ckchs->data, err); + if (cfgerr & ERR_FATAL) + goto end; + /* set conf->crt to NULL so it's not erased */ + conf->crt = NULL; + } + + /* load files using the ckch_conf */ cfgerr = ckch_store_load_files(conf, ckchs, 0, err); if (cfgerr & ERR_FATAL) goto end; + conf->crt = tmpcrt; + /* insert into the ckchs tree */ memcpy(ckchs->path, name, strlen(name) + 1); ebst_insert(&ckchs_tree, &ckchs->node); diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index d1c7ef992c..71fa0a0b1e 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -606,13 +606,9 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu if (ckchs == NULL) { if (stat(crt_path, &buf) == 0) { found++; - if (cc.used) { - free(cc.crt); - cc.crt = strdup(crt_path); - ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err); - } else { - ckchs = ckch_store_new_load_files_path(crt_path, err); - } + free(cc.crt); + cc.crt = strdup(crt_path); + ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err); if (ckchs == NULL) { cfgerr |= ERR_ALERT | ERR_FATAL; goto error;