MINOR: ssl: Add a cafile_entry type field
The CA files and CRL files are stored in the same cafile_tree so this
patch adds a new field the the cafile_entry structure that specifies the
type of the entry. Since a ca-file can also have some CRL sections, the
type will be based on the option used to load the file and not on its
content (ca-file vs crl-file options).
diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index 584013c..2589a52 100644
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -114,6 +114,13 @@
};
+/* Option through which a cafile_entry was created, either
+ * ca-file/ca-verify-file or crl-file. */
+enum cafile_type {
+ CAFILE_CERT,
+ CAFILE_CRL
+};
+
/*
* deduplicate cafile (and crlfile)
*/
@@ -121,6 +128,7 @@
X509_STORE *ca_store;
STACK_OF(X509_NAME) *ca_list;
struct list ckch_inst_link; /* list of ckch_inst which use this CA file entry */
+ enum cafile_type type;
struct ebmb_node node;
char path[0];
};
diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 54c3c94..8ee3b74 100644
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -60,10 +60,10 @@
struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry);
X509_STORE* ssl_store_get0_locations_file(char *path);
int ssl_store_add_uncommitted_cafile_entry(struct cafile_entry *entry);
-struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store);
+struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type);
void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf);
-int ssl_store_load_locations_file(char *path, int create_if_none);
+int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
#endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_CRTLIST_H */
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 9242360..d87786c 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -543,7 +543,7 @@
else
memprintf(ca_file_p, "%s", args[cur_arg + 1]);
- if (!ssl_store_load_locations_file(*ca_file_p, !from_cli)) {
+ if (!ssl_store_load_locations_file(*ca_file_p, !from_cli, CAFILE_CERT)) {
memprintf(err, "'%s' : unable to load %s", args[cur_arg], *ca_file_p);
return ERR_ALERT | ERR_FATAL;
}
@@ -689,7 +689,7 @@
else
memprintf(&conf->crl_file, "%s", args[cur_arg + 1]);
- if (!ssl_store_load_locations_file(conf->crl_file, !from_cli)) {
+ if (!ssl_store_load_locations_file(conf->crl_file, !from_cli, CAFILE_CRL)) {
memprintf(err, "'%s' : unable to load %s", args[cur_arg], conf->crl_file);
return ERR_ALERT | ERR_FATAL;
}
@@ -1336,7 +1336,7 @@
else
memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);
- if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1)) {
+ if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.ca_file);
return ERR_ALERT | ERR_FATAL;
}
@@ -1432,7 +1432,7 @@
else
memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);
- if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, 1)) {
+ if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, 1, CAFILE_CRL)) {
memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.crl_file);
return ERR_ALERT | ERR_FATAL;
}
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index b178d85..3f89ac3 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -985,7 +985,7 @@
}
/* Create a cafile_entry object, without adding it to the cafile_tree. */
-struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store)
+struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type)
{
struct cafile_entry *ca_e;
int pathlen;
@@ -996,6 +996,7 @@
if (ca_e) {
memcpy(ca_e->path, path, pathlen + 1);
ca_e->ca_store = store;
+ ca_e->type = type;
LIST_INIT(&ca_e->ckch_inst_link);
}
return ca_e;
@@ -1077,7 +1078,7 @@
return retval;
}
-int ssl_store_load_locations_file(char *path, int create_if_none)
+int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
{
X509_STORE *store = ssl_store_get0_locations_file(path);
@@ -1088,7 +1089,7 @@
struct cafile_entry *ca_e;
store = X509_STORE_new();
if (X509_STORE_load_locations(store, path, NULL)) {
- ca_e = ssl_store_create_cafile_entry(path, store);
+ ca_e = ssl_store_create_cafile_entry(path, store, type);
if (ca_e) {
ebst_insert(&cafile_tree, &ca_e->node);
}
@@ -2242,7 +2243,7 @@
ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_cafile_entry);
/* Create a new cafile_entry without adding it to the cafile tree. */
- appctx->ctx.ssl.new_cafile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL);
+ appctx->ctx.ssl.new_cafile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL, CAFILE_CERT);
if (!appctx->ctx.ssl.new_cafile_entry) {
memprintf(&err, "%sCannot allocate memory!\n",
err ? err : "");