From 20718f40b60f9aca33966c767caa4c4cd0cd9c4c Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 2 Apr 2025 11:40:42 +0200 Subject: [PATCH] MEDIUM: ssl/ckch: add filename and linenum argument to crt-store parsing Add filename and linenum arguments to the crt-store / ckch_conf parsing. It allows to use them in the parsing function so we could emits error. --- include/haproxy/ssl_ckch-t.h | 2 +- include/haproxy/ssl_ckch.h | 30 +++++++++++++++--------------- include/haproxy/ssl_ocsp.h | 2 +- src/ssl_ckch.c | 12 ++++++------ src/ssl_crtlist.c | 4 ++-- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index 00705b41e..b4ec91f31 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -192,7 +192,7 @@ struct ckch_conf_kws { const char *name; ssize_t offset; enum parse_type_t type; - int (*func)(void *value, char *buf, struct ckch_data *d, int cli, char **err); + int (*func)(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err); }; extern struct ckch_conf_kws ckch_conf_kws[]; diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 16a1f20cf..19ebac556 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -41,13 +41,13 @@ int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch /* ckch_store functions */ struct ckch_store *ckch_store_new_load_files_path(char *path, char **err); -struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *conf, char **err); +struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *conf, const char *filename, int linenum, char **err); struct ckch_store *ckchs_lookup(char *path); struct ckch_store *ckchs_dup(const struct ckch_store *src); struct ckch_store *ckch_store_new(const char *filename); void ckch_store_free(struct ckch_store *store); void ckch_store_replace(struct ckch_store *old_ckchs, struct ckch_store *new_ckchs); -int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, char **err); +int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, const char *file, int linenum, char **err); /* ckch_conf functions */ @@ -89,19 +89,19 @@ extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **er * The following macro allow to declare a wrapper on function that actually load files * */ -#define DECLARE_CKCH_CONF_LOAD(name, base, callback) \ -static inline int ckch_conf_load_##name(void *value, char *buf, struct ckch_data *d, int cli, char **err) \ -{ \ - char path[PATH_MAX]; \ - int err_code = 0; \ - if (cli) \ - return 0; \ - err_code |= path_base(value, (base), path, err); \ - if (err_code & ERR_CODE) \ - goto out; \ - err_code |= (callback)(path, buf, d, err); \ -out: \ - return err_code; \ +#define DECLARE_CKCH_CONF_LOAD(name, base, callback) \ +static inline int ckch_conf_load_##name(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err) \ +{ \ + char path[PATH_MAX]; \ + int err_code = 0; \ + if (cli) \ + return 0; \ + err_code |= path_base(value, (base), path, err); \ + if (err_code & ERR_CODE) \ + goto out; \ + err_code |= (callback)(path, buf, d, err); \ +out: \ + return err_code; \ }; #endif /* USE_OPENSSL */ diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h index f6a72b94c..e7828b6f0 100644 --- a/include/haproxy/ssl_ocsp.h +++ b/include/haproxy/ssl_ocsp.h @@ -55,7 +55,7 @@ void ssl_destroy_ocsp_update_task(void); int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp); -int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, char **err); +int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err); #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */ diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 9414e8e3b..e8dbc64db 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1095,7 +1095,7 @@ end: * This function allocate a ckch_store and populate it with certificates using * the ckch_conf structure. */ -struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *conf, char **err) +struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *conf, const char *file, int linenum, char **err) { struct ckch_store *ckchs; int cfgerr = ERR_NONE; @@ -1120,7 +1120,7 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf * } /* load files using the ckch_conf */ - cfgerr = ckch_store_load_files(conf, ckchs, 0, err); + cfgerr = ckch_store_load_files(conf, ckchs, 0, file, linenum, err); if (cfgerr & ERR_FATAL) goto end; @@ -4560,7 +4560,7 @@ struct ckch_conf_kws ckch_conf_kws[] = { /* crt-store does not try to find files, but use the stored filename */ -int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, char **err) +int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, const char *file, int linenum, char **err) { int i; int err_code = 0; @@ -4587,7 +4587,7 @@ int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, ch if (!v) goto next; - rc = ckch_conf_kws[i].func(v, NULL, d, cli, err); + rc = ckch_conf_kws[i].func(v, NULL, d, cli, file, linenum, err); if (rc) { err_code |= ERR_ALERT | ERR_FATAL; memprintf(err, "%s '%s' cannot be read or parsed.", err && *err ? *err : "", v); @@ -4600,7 +4600,7 @@ int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, ch case PARSE_TYPE_ONOFF: { int v = *(int *)src; - rc = ckch_conf_kws[i].func(&v, NULL, d, cli, err); + rc = ckch_conf_kws[i].func(&v, NULL, d, cli, file, linenum, err); if (rc) { err_code |= ERR_ALERT | ERR_FATAL; memprintf(err, "%s '%d' cannot be read or parsed.", err && *err ? *err : "", v); @@ -5001,7 +5001,7 @@ static int crtstore_parse_load(char **args, int section_type, struct proxy *curp if (!c) goto alloc_error; - err_code |= ckch_store_load_files(&f, c, 0, err); + err_code |= ckch_store_load_files(&f, c, 0, file, linenum, err); if (err_code & ERR_FATAL) goto out; diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index 1caaed7fd..5eb1ed610 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -530,7 +530,7 @@ int crtlist_load_crt(char *crt_path, struct ckch_conf *cc, struct crtlist *newli } } - ckchs = ckch_store_new_load_files_conf(crt_path, cc, err); + ckchs = ckch_store_new_load_files_conf(crt_path, cc, file, linenum, err); if (ckchs == NULL) { cfgerr |= ERR_ALERT | ERR_FATAL; goto error; @@ -1436,7 +1436,7 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc store->conf = cc; /* fresh new, run more init (for example init ocsp-update tasks) */ - cfgerr |= ckch_store_load_files(&cc, store, 1, &err); + cfgerr |= ckch_store_load_files(&cc, store, 1, "CLI", 1, &err); if (cfgerr & ERR_FATAL) goto error; -- 2.39.5