From: Remi Tricot-Le Breton Date: Fri, 19 Feb 2021 14:06:28 +0000 (+0100) Subject: MINOR: ssl: Allow duplicated entries in the cafile_tree X-Git-Tag: v2.5-dev1~281 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f0c9360573bcd9f3c249fb91c42a8f06b091d7c;p=thirdparty%2Fhaproxy.git MINOR: ssl: Allow duplicated entries in the cafile_tree In order to ease ca-file hot update via the CLI, the ca-file tree will need to allow duplicate entries for a given path. This patch simply enables it and offers a way to select either the oldest entry or the latest entry in the tree for a given path. --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 41bc7e1c8f..c8f0f2fed0 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -923,18 +923,42 @@ struct ckch_inst *ckch_inst_new() /******************** ssl_store functions ******************************/ -struct eb_root cafile_tree = EB_ROOT_UNIQUE; +struct eb_root cafile_tree = EB_ROOT; -X509_STORE* ssl_store_get0_locations_file(char *path) +/* + * Returns the cafile_entry found in the cafile_tree indexed by the path 'path'. + * If 'oldest_entry' is 1, returns the "original" cafile_entry (since + * during a set cafile/commit cafile cycle there might be two entries for any + * given path, the original one and the new one set via the CLI but not + * committed yet). + */ +static struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry) { + struct cafile_entry *ca_e = NULL; struct ebmb_node *eb; eb = ebst_lookup(&cafile_tree, path); - if (eb) { - struct cafile_entry *ca_e; + while (eb) { ca_e = ebmb_entry(eb, struct cafile_entry, node); + /* The ebst_lookup in a tree that has duplicates returns the + * oldest entry first. If we want the latest entry, we need to + * iterate over all the duplicates until we find the last one + * (in our case there should never be more than two entries for + * any given path). */ + if (oldest_entry) + return ca_e; + eb = ebmb_next_dup(eb); + } + return ca_e; +} + +X509_STORE* ssl_store_get0_locations_file(char *path) +{ + struct cafile_entry *ca_e = ssl_store_get_cafile_entry(path, 0); + + if (ca_e) return ca_e->ca_store; - } + return NULL; }