Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6763016866721a5c27b6a481783490e3c1692f8b^! / .
commit6763016866721a5c27b6a481783490e3c1692f8b[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Mon Mar 09 16:56:39 2020 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Mon Mar 09 17:32:04 2020 +0100
tree5acb3ed61038e238d705f59eb6dda42025df6e64
parent0a52846603507411b6e6391448876dfc26c02499 [diff]
BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters

Since commit 244b070 ("MINOR: ssl/cli: support crt-list filters"),
HAProxy generates a list of filters based on the sni_ctx in memory.
However it's not always relevant, sometimes no filters were configured
and the CN/SAN in the new certificate are not the same.

This patch fixes the issue by using a flag filters in the ckch_inst, so
we are able to know if there were filters or not. In the late case it
uses the CN/SAN of the new certificate to generate the sni_ctx.

note: filters are still only used in the crt-list atm.

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index 716be89..b010448 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h

@@ -129,6 +129,7 @@
 	struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
 	struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
 	struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
+	unsigned int filters:1; /* using sni filters ? */
 	unsigned int is_default:1;      /* This instance is used as the default ctx for this bind_conf */
 	/* space for more flag there */
 	struct list sni_ctx; /* list of sni_ctx using this ckch_inst */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index eeae7c4..ef3091e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -4188,6 +4188,7 @@
 	ckch_inst->bind_conf = bind_conf;
 	ckch_inst->ssl_conf = ssl_conf;
 	ckch_inst->ckch_store = ckchs;
+	ckch_inst->filters = !!fcount;
 end:
 
 	if (names)
@@ -4377,6 +4378,7 @@
 	ckch_inst->bind_conf = bind_conf;
 	ckch_inst->ssl_conf = ssl_conf;
 	ckch_inst->ckch_store = ckchs;
+	ckch_inst->filters = !!fcount;
 
 	*ckchi = ckch_inst;
 	return errcode;
@@ -11006,10 +11008,11 @@
 						appctx->ctx.ssl.next_ckchi = ckchi;
 						goto yield;
 					}
-
-					errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
-					if (errcode & ERR_CODE)
-						goto error;
+					if (ckchi->filters) {
+						errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
+						if (errcode & ERR_CODE)
+							goto error;
+					}
 
 					if (new_ckchs->multi)
 						errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);