CLEANUP: ssl: remove test on "multi" variable in ckch functions

Since the removal of the multi-certificates bundle support, this
variable is not useful anymore, we can remove all tests for this
variable and suppose that every ckch contains a single certificate.

diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 46b91673bc726ad2206884952b634caa8dfc4df2..b41ce8ac1efab8f303b3846f2a6bdb46581e2b57 100644 (file)
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -45,10 +45,10 @@ static inline int ssl_sock_is_ckch_valid(struct cert_key_and_chain *ckch)
 #endif
 
 /* ckch_store functions */
-struct ckch_store *ckchs_load_cert_file(char *path, int multi, char **err);
+struct ckch_store *ckchs_load_cert_file(char *path, char **err);
 struct ckch_store *ckchs_lookup(char *path);
 struct ckch_store *ckchs_dup(const struct ckch_store *src);
-struct ckch_store *ckch_store_new(const char *filename, int nmemb);
+struct ckch_store *ckch_store_new(const char *filename);
 void ckch_store_free(struct ckch_store *store);
 
 

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 6309b657ebd7df74d89d685409da60a66f9116b4..2ba78300f01fe54e97a34a1451e59810db8c1010 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -721,17 +721,7 @@ void ckch_store_free(struct ckch_store *store)
        if (!store)
                return;
 
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200L
-       if (store->multi) {
-               int n;
-
-               for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++)
-                       ssl_sock_free_cert_key_and_chain_contents(&store->ckch[n]);
-       } else
-#endif
-       {
-               ssl_sock_free_cert_key_and_chain_contents(store->ckch);
-       }
+       ssl_sock_free_cert_key_and_chain_contents(store->ckch);
 
        free(store->ckch);
        store->ckch = NULL;
@@ -750,7 +740,7 @@ void ckch_store_free(struct ckch_store *store)
  *
  * Return a ckch_store or NULL upon failure.
  */
-struct ckch_store *ckch_store_new(const char *filename, int nmemb)
+struct ckch_store *ckch_store_new(const char *filename)
 {
        struct ckch_store *store;
        int pathlen;
@@ -760,17 +750,12 @@ struct ckch_store *ckch_store_new(const char *filename, int nmemb)
        if (!store)
                return NULL;
 
-       if (nmemb > 1)
-               store->multi = 1;
-       else
-               store->multi = 0;
-
        memcpy(store->path, filename, pathlen + 1);
 
        LIST_INIT(&store->ckch_inst);
        LIST_INIT(&store->crtlist_entry);
 
-       store->ckch = calloc(nmemb, sizeof(*store->ckch));
+       store->ckch = calloc(1, sizeof(*store->ckch));
        if (!store->ckch)
                goto error;
 
@@ -786,24 +771,10 @@ struct ckch_store *ckchs_dup(const struct ckch_store *src)
 {
        struct ckch_store *dst;
 
-       dst = ckch_store_new(src->path, src->multi ? SSL_SOCK_NUM_KEYTYPES : 1);
+       dst = ckch_store_new(src->path);
 
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
-       if (src->multi) {
-               int n;
-
-               for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
-                       if (&src->ckch[n]) {
-                               if (!ssl_sock_copy_cert_key_and_chain(&src->ckch[n], &dst->ckch[n]))
-                                       goto error;
-                       }
-               }
-       } else
-#endif
-       {
-               if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
-                       goto error;
-       }
+       if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
+               goto error;
 
        return dst;
 
@@ -830,50 +801,22 @@ struct ckch_store *ckchs_lookup(char *path)
 /*
  * This function allocate a ckch_store and populate it with certificates from files.
  */
-struct ckch_store *ckchs_load_cert_file(char *path, int multi, char **err)
+struct ckch_store *ckchs_load_cert_file(char *path, char **err)
 {
        struct ckch_store *ckchs;
 
-       ckchs = ckch_store_new(path, multi ? SSL_SOCK_NUM_KEYTYPES : 1);
+       ckchs = ckch_store_new(path);
        if (!ckchs) {
                memprintf(err, "%sunable to allocate memory.\n", err && *err ? *err : "");
                goto end;
        }
-       if (!multi) {
 
-               if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
-                       goto end;
-
-               /* insert into the ckchs tree */
-               memcpy(ckchs->path, path, strlen(path) + 1);
-               ebst_insert(&ckchs_tree, &ckchs->node);
-       } else {
-               int found = 0;
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
-               char fp[MAXPATHLEN+1] = {0};
-               int n = 0;
-
-               /* Load all possible certs and keys */
-               for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
-                       struct stat buf;
-                       snprintf(fp, sizeof(fp), "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
-                       if (stat(fp, &buf) == 0) {
-                               if (ssl_sock_load_files_into_ckch(fp, &ckchs->ckch[n], err) == 1)
-                                       goto end;
-                               found = 1;
-                               ckchs->multi = 1;
-                       }
-               }
-#endif
+       if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
+               goto end;
 
-               if (!found) {
-                       memprintf(err, "%sDidn't find any certificate for bundle '%s'.\n", err && *err ? *err : "", path);
-                       goto end;
-               }
-               /* insert into the ckchs tree */
-               memcpy(ckchs->path, path, strlen(path) + 1);
-               ebst_insert(&ckchs_tree, &ckchs->node);
-       }
+       /* insert into the ckchs tree */
+       memcpy(ckchs->path, path, strlen(path) + 1);
+       ebst_insert(&ckchs_tree, &ckchs->node);
        return ckchs;
 
 end:
@@ -1757,7 +1700,7 @@ static int cli_parse_new_cert(char **args, char *payload, struct appctx *appctx,
                goto error;
        }
        /* we won't support multi-certificate bundle here */
-       store = ckch_store_new(path, 1);
+       store = ckch_store_new(path);
        if (!store) {
                memprintf(&err, "unable to allocate memory.\n");
                goto error;

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 1ab9468a5391b3a1aaae027136cfae4b45b75b2b..f7007efc6c7596e8b40edb0aaf3458fba5b1cfd6 100644 (file)
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -521,7 +521,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
                if (ckchs == NULL) {
                        if (stat(crt_path, &buf) == 0) {
 
-                               ckchs = ckchs_load_cert_file(crt_path, 0,  err);
+                               ckchs = ckchs_load_cert_file(crt_path, err);
                                if (ckchs == NULL) {
                                        cfgerr |= ERR_ALERT | ERR_FATAL;
                                        goto error;
@@ -554,7 +554,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
                                        ckchs = ckchs_lookup(fp);
                                        if (!ckchs && stat(fp, &buf) == 0) {
 
-                                               ckchs = ckchs_load_cert_file(fp, 0,  err);
+                                               ckchs = ckchs_load_cert_file(fp, err);
                                                if (ckchs == NULL) {
                                                        cfgerr |= ERR_ALERT | ERR_FATAL;
                                                        goto error;
@@ -660,7 +660,7 @@ int crtlist_load_cert_dir(char *path, struct bind_conf *bind_conf, struct crtlis
 
                        ckchs = ckchs_lookup(fp);
                        if (ckchs == NULL)
-                               ckchs = ckchs_load_cert_file(fp, 0,  err);
+                               ckchs = ckchs_load_cert_file(fp, err);
                        if (ckchs == NULL) {
                                free(de);
                                free(entry);

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 97f7802f5c903a75923e32d595da8c6551359b5d..f3b1b0e87ecd66f8f9852361bac034e9a4dcc198 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3773,7 +3773,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
        }
        if (stat(path, &buf) == 0) {
                if (S_ISDIR(buf.st_mode) == 0) {
-                       ckchs =  ckchs_load_cert_file(path, 0,  err);
+                       ckchs =  ckchs_load_cert_file(path, err);
                        if (!ckchs)
                                return ERR_ALERT | ERR_FATAL;
 
@@ -3800,7 +3800,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
                                        cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
                                } else {
                                        if (stat(fp, &buf) == 0) {
-                                               ckchs =  ckchs_load_cert_file(fp, 0,  err);
+                                               ckchs =  ckchs_load_cert_file(fp, err);
                                                if (!ckchs)
                                                        return ERR_ALERT | ERR_FATAL;
                                                cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);