From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 20 Apr 2021 14:54:21 +0000 (+0200)
Subject: MINOR: ssl: Chain instances in ca-file entries
X-Git-Tag: v2.5-dev1~263
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f81c70ceececceb83131c04039c3a67b52aefbd0;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Chain instances in ca-file entries

In order for crl-file hot update to be possible, we need to add an extra
link between the CA file tree entries that hold Certificate Revocation
Lists and the instances that use them. This way we will be able to
rebuild each instance upon CRL modification.
This mechanism is similar to what was made for the actual CA file update
since both the CA files and the CRL files are stored in the same CA file
tree.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 83442128e4..720e77e522 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1302,20 +1302,27 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi
 	if (verify & SSL_VERIFY_PEER) {
 		struct cafile_entry *ca_file_entry = NULL;
 		struct cafile_entry *ca_verify_file_entry = NULL;
+		struct cafile_entry *crl_file_entry = NULL;
 		if (srv) {
 			if (srv->ssl_ctx.ca_file) {
 				ca_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.ca_file, 0);
 
 			}
+			if (srv->ssl_ctx.crl_file) {
+				crl_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.crl_file, 0);
+			}
 		}
 		else {
 			char *ca_file = (ssl_conf && ssl_conf->ca_file) ? ssl_conf->ca_file : bind_conf->ssl_conf.ca_file;
 			char *ca_verify_file = (ssl_conf && ssl_conf->ca_verify_file) ? ssl_conf->ca_verify_file : bind_conf->ssl_conf.ca_verify_file;
+			char *crl_file = (ssl_conf && ssl_conf->crl_file) ? ssl_conf->crl_file : bind_conf->ssl_conf.crl_file;
 
 			if (ca_file)
 				ca_file_entry = ssl_store_get_cafile_entry(ca_file, 0);
 			if (ca_verify_file)
 				ca_verify_file_entry = ssl_store_get_cafile_entry(ca_verify_file, 0);
+			if (crl_file)
+				crl_file_entry = ssl_store_get_cafile_entry(crl_file, 0);
 		}
 
 		if (ca_file_entry) {
@@ -1331,6 +1338,12 @@ void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bi
 			if (do_chain_inst_and_cafile(ca_verify_file_entry, ckch_inst))
 				return;
 		}
+		if (crl_file_entry) {
+			/* If we have a ckch instance that is not already in the
+			 * cafile_entry's list, add it to it. */
+			if (do_chain_inst_and_cafile(crl_file_entry, ckch_inst))
+				return;
+		}
 	}
 }