MINOR: ssl/cli: support crt-list filters
Generate a list of the previous filters when updating a certificate
which use filters in crt-list. Then pass this list to the function
generating the sni_ctx during the commit.
This feature allows the update of the crt-list certificates which uses
the filters with "set ssl cert".
This function could be probably replaced by creating a new
ckch_inst_new_load_store() function which take the previous sni_ctx list as
an argument instead of the char **sni_filter, avoiding the
allocation/copy during runtime for each filter. But since are still
handling the multi-cert bundles, it's better this way to avoid code
duplication.
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index feca100..bb64e49 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -111,7 +111,6 @@
struct ckch_store {
struct cert_key_and_chain *ckch;
unsigned int multi:1; /* is it a multi-cert bundle ? */
- unsigned int filters:1;/* one of the instances is using filters, TODO:remove this flag once filters are supported */
struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
struct ebmb_node node;
char path[0];
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2688117..86894cb 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3895,6 +3895,84 @@
return NULL;
}
+
+/*
+ * Free a sni filters array generated by ckch_inst_sni_ctx_to_sni_filters()
+ */
+static inline void free_sni_filters(char **sni_filter, int fcount)
+{
+ int i;
+
+ if (sni_filter) {
+ for (i = 0; i < fcount; i++) {
+ if (sni_filter[i]) {
+ free(sni_filter[i]);
+ sni_filter[i] = NULL;
+ }
+ }
+ free(sni_filter);
+ }
+}
+
+/*
+ * Fill <*sni_filter> with an allocated array of ptr to the existing filters,
+ * The caller should free <*sni_filter>.
+ * Fill <*fcount> with the number of filters
+ * Return an ERR_* code.
+ */
+static int ckch_inst_sni_ctx_to_sni_filters(const struct ckch_inst *ckchi, char ***sni_filter, int *fcount, char **err)
+{
+ struct sni_ctx *sc0;
+ int errcode = 0;
+ int i = 0;
+ char **tmp_filter;
+ int tmp_fcount = 0;
+
+ list_for_each_entry(sc0, &ckchi->sni_ctx, by_ckch_inst) {
+ tmp_fcount++;
+ }
+
+ if (!tmp_fcount)
+ goto end;
+
+ tmp_filter = malloc(sizeof(*tmp_filter) * tmp_fcount);
+ if (!tmp_filter) {
+ errcode |= ERR_FATAL|ERR_ALERT;
+ goto error;
+ }
+
+ list_for_each_entry(sc0, &ckchi->sni_ctx, by_ckch_inst) {
+ size_t len = strlen((char *)sc0->name.key);
+
+ /* we need to alloc and copy to insert a '!' or/and a '*' */
+ tmp_filter[i] = calloc(1, len + sc0->neg + sc0->wild + 1);
+ if (!tmp_filter[i]) {
+ errcode |= ERR_FATAL|ERR_ALERT;
+ goto error;
+ }
+
+ if (sc0->neg)
+ *tmp_filter[i] = '!';
+ if (sc0->wild)
+ *(tmp_filter[i] + sc0->neg) = '*';
+
+ memcpy(tmp_filter[i] + sc0->neg + sc0->wild, (char *)sc0->name.key, len + 1);
+ i++;
+ }
+end:
+ *sni_filter = tmp_filter;
+ *fcount = tmp_fcount;
+
+ return errcode;
+error:
+ memprintf(err, "%sUnable to generate filters!",
+ err && *err ? *err : "");
+ free_sni_filters(tmp_filter, tmp_fcount);
+
+ return errcode;
+}
+
+
#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
/*
@@ -3949,10 +4027,6 @@
certs_and_keys = ckchs->ckch;
- /* at least one of the instances is using filters during the config
- * parsing, that's ok to inherit this during loading on CLI */
- ckchs->filters |= !!fcount;
-
/* Process each ckch and update keytypes for each CN/SAN
* for example, if CN/SAN www.a.com is associated with
* certs with keytype 0 and 2, then at the end of the loop,
@@ -4193,10 +4267,6 @@
ckch = ckchs->ckch;
- /* at least one of the instances is using filters during the config
- * parsing, that's ok to inherit this during loading on CLI */
- ckchs->filters |= !!fcount;
-
ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
@@ -10924,6 +10994,8 @@
/* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */
list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
struct ckch_inst *new_inst;
+ char **sni_filter = NULL;
+ int fcount = 0;
/* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
if (y >= 10) {
@@ -10932,10 +11004,17 @@
goto yield;
}
+ errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
+ if (errcode & ERR_CODE)
+ goto error;
+
if (new_ckchs->multi)
- errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, NULL, 0, &new_inst, &err);
+ errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
else
- errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, NULL, 0, &new_inst, &err);
+ errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
+
+ free_sni_filters(sni_filter, fcount);
+ sni_filter = NULL;
if (errcode & ERR_CODE)
goto error;
@@ -11103,7 +11182,6 @@
return cli_dynerr(appctx, err);
}
-
/*
* Parsing function of `set ssl cert`, it updates or creates a temporary ckch.
*/
@@ -11266,14 +11344,6 @@
old_ckchs = appctx->ctx.ssl.old_ckchs;
- /* TODO: handle filters */
- if (old_ckchs->filters) {
- memprintf(&err, "%sCertificates used in crt-list with filters are not supported!\n",
- err ? err : "");
- errcode |= ERR_ALERT | ERR_FATAL;
- goto end;
- }
-
/* duplicate the ckch store */
new_ckchs = ckchs_dup(old_ckchs);
if (!new_ckchs) {