From: William Lallemand Date: Wed, 5 Nov 2025 15:41:48 +0000 (+0100) Subject: MEDIUM: ssl/ckch: use ckch_store instead of ckch_data for ckch_conf_kws X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1df55b441bc105b4c281d366f4608a1f9cb27903;p=thirdparty%2Fhaproxy.git MEDIUM: ssl/ckch: use ckch_store instead of ckch_data for ckch_conf_kws This is an API change, instead of passing a ckch_data alone, the ckch_conf_kws.func() is called with a ckch_store. This allows the callback to access the whole ckch_store, with the ckch_conf and the ckch_data. But it requires the ckch_conf to be actually put in the ckch_store before. --- diff --git a/include/haproxy/acme.h b/include/haproxy/acme.h index 6aeae0283..a6a0ed810 100644 --- a/include/haproxy/acme.h +++ b/include/haproxy/acme.h @@ -4,6 +4,6 @@ #include -int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err); +int ckch_conf_acme_init(void *value, char *buf, struct ckch_store *s, int cli, const char *filename, int linenum, char **err); #endif diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index 2c75996ef..1c9699054 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -204,7 +204,7 @@ struct ckch_conf_kws { const char *name; ssize_t offset; enum parse_type_t type; - int (*func)(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err); + int (*func)(void *value, char *buf, struct ckch_store *s, int cli, const char *filename, int linenum, char **err); }; extern struct ckch_conf_kws ckch_conf_kws[]; diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 843b6db00..35f1cdc53 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -90,10 +90,11 @@ extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **er * */ #define DECLARE_CKCH_CONF_LOAD(name, base, callback) \ -static inline int ckch_conf_load_##name(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err) \ +static inline int ckch_conf_load_##name(void *value, char *buf, struct ckch_store *s, int cli, const char *filename, int linenum, char **err) \ { \ char path[PATH_MAX]; \ int err_code = 0; \ + struct ckch_data *d = s->data; \ if (cli) \ return 0; \ err_code |= path_base(value, (base), path, err); \ diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h index 9beaef546..e97dfd86b 100644 --- a/include/haproxy/ssl_ocsp.h +++ b/include/haproxy/ssl_ocsp.h @@ -56,7 +56,7 @@ void ssl_destroy_ocsp_update_task(void); int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp); int __ssl_ocsp_update_insert_unlocked(struct certificate_ocsp *ocsp); -int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err); +int ocsp_update_init(void *value, char *buf, struct ckch_store *s, int cli, const char *filename, int linenum, char **err); #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */ diff --git a/src/acme.c b/src/acme.c index ffc8ad7ec..9a34ab5e4 100644 --- a/src/acme.c +++ b/src/acme.c @@ -209,7 +209,7 @@ out: /* * ckch_conf acme parser */ -int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err) +int ckch_conf_acme_init(void *value, char *buf, struct ckch_store *s, int cli, const char *filename, int linenum, char **err) { int err_code = 0; struct acme_cfg *cfg; diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index e21f0797a..2d4dd0725 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -4785,7 +4785,7 @@ int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, co if (!v) goto next; - rc = ckch_conf_kws[i].func(v, NULL, d, cli, file, linenum, err); + rc = ckch_conf_kws[i].func(v, NULL, c, cli, file, linenum, err); if (rc) { err_code |= ERR_ALERT | ERR_FATAL; memprintf(err, "%s '%s' cannot be read or parsed.", err && *err ? *err : "", v); @@ -4798,7 +4798,7 @@ int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, co case PARSE_TYPE_ONOFF: { int v = *(int *)src; - rc = ckch_conf_kws[i].func(&v, NULL, d, cli, file, linenum, err); + rc = ckch_conf_kws[i].func(&v, NULL, c, cli, file, linenum, err); if (rc) { err_code |= ERR_ALERT | ERR_FATAL; memprintf(err, "%s '%d' cannot be read or parsed.", err && *err ? *err : "", v); @@ -5222,13 +5222,13 @@ static int crtstore_parse_load(char **args, int section_type, struct proxy *curp if (!c) goto alloc_error; + c->conf = f; + c->conf.used = CKCH_CONF_SET_CRTSTORE; + err_code |= ckch_store_load_files(&f, c, 0, file, linenum, err); if (err_code & ERR_FATAL) goto out; - c->conf = f; - c->conf.used = CKCH_CONF_SET_CRTSTORE; - if (ebst_insert(&ckchs_tree, &c->node) != &c->node) { memprintf(err,"parsing [%s:%d] : '%s' in section 'crt-store': store '%s' was already defined.", file, linenum, args[0], c->path); diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index aef6c9a85..fec67105d 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -2087,7 +2087,7 @@ static int ocsp_update_parse_global_http_proxy(char **args, int section_type, st return 0; } -int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err) +int ocsp_update_init(void *value, char *buf, struct ckch_store *s, int cli, const char *filename, int linenum, char **err) { int ocsp_update_mode = *(int *)value; int ret = 0;