]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 653a167)
MINOR: ssl: Chain instances in ca-file entries
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>
Tue, 20 Apr 2021 14:54:21 +0000 (16:54 +0200)
committerWilliam Lallemand <wlallemand@haproxy.org>
Mon, 17 May 2021 08:50:24 +0000 (10:50 +0200)
In order for crl-file hot update to be possible, we need to add an extra
link between the CA file tree entries that hold Certificate Revocation
Lists and the instances that use them. This way we will be able to
rebuild each instance upon CRL modification.
This mechanism is similar to what was made for the actual CA file update
since both the CA files and the CRL files are stored in the same CA file
tree.

src/ssl_ckch.c patch | blob | blame | history

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 83442128e460afda97d3bcee508b041ba33a2f12..720e77e5222d2616302f2465ba28070c579b3d02 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1302,20 +1302,27 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi
        if (verify & SSL_VERIFY_PEER) {
                struct cafile_entry *ca_file_entry = NULL;
                struct cafile_entry *ca_verify_file_entry = NULL;
+               struct cafile_entry *crl_file_entry = NULL;
                if (srv) {
                        if (srv->ssl_ctx.ca_file) {
                                ca_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.ca_file, 0);
 
                        }
+                       if (srv->ssl_ctx.crl_file) {
+                               crl_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.crl_file, 0);
+                       }
                }
                else {
                        char *ca_file = (ssl_conf && ssl_conf->ca_file) ? ssl_conf->ca_file : bind_conf->ssl_conf.ca_file;
                        char *ca_verify_file = (ssl_conf && ssl_conf->ca_verify_file) ? ssl_conf->ca_verify_file : bind_conf->ssl_conf.ca_verify_file;
+                       char *crl_file = (ssl_conf && ssl_conf->crl_file) ? ssl_conf->crl_file : bind_conf->ssl_conf.crl_file;
 
                        if (ca_file)
                                ca_file_entry = ssl_store_get_cafile_entry(ca_file, 0);
                        if (ca_verify_file)
                                ca_verify_file_entry = ssl_store_get_cafile_entry(ca_verify_file, 0);
+                       if (crl_file)
+                               crl_file_entry = ssl_store_get_cafile_entry(crl_file, 0);
                }
 
                if (ca_file_entry) {
@@ -1331,6 +1338,12 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi
                        if (do_chain_inst_and_cafile(ca_verify_file_entry, ckch_inst))
                                return;
                }
+               if (crl_file_entry) {
+                       /* If we have a ckch instance that is not already in the
+                        * cafile_entry's list, add it to it. */
+                       if (do_chain_inst_and_cafile(crl_file_entry, ckch_inst))
+                               return;
+               }
        }
 }
 
Mirror of https://github.com/haproxy/haproxy.git