Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 89d3b355ad2e0786a3f04a8d63345092809ab505^! / .
commit89d3b355ad2e0786a3f04a8d63345092809ab505[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Wed Sep 09 11:42:04 2020 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Wed Sep 16 16:28:26 2020 +0200
treea2647f42a12da9d77be1544068b110726564d8c5
parent3b139e540aac5e2f2801d920be1c3c757ae33a8f [diff]
MEDIUM: ssl: remove bundle support in crt-list and directories

The multi-cert certificates bundle is the former way, implemented with
openssl 1.0.2, of doing multi-certificate (RSA, ECDSA and DSA) for the
same SNI host. Remove this support temporarely so it is replaced by
the loading of each certificate in a separate SSL_CTX.

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index b813787..4639bd9 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c

@@ -458,10 +458,6 @@
 	char fp[MAXPATHLEN+1];
 	int cfgerr = 0;
 	struct ckch_store *ckchs;
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
-	int is_bundle;
-	int j;
-#endif
 
 	dir = crtlist_new(path, 1);
 	if (dir == NULL) {
@@ -501,56 +497,6 @@
 				goto ignore_entry;
 			}
 
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
-			is_bundle = 0;
-			/* Check if current entry in directory is part of a multi-cert bundle */
-
-			if ((global_ssl.extra_files & SSL_GF_BUNDLE) && end) {
-				for (j = 0; j < SSL_SOCK_NUM_KEYTYPES; j++) {
-					if (!strcmp(end + 1, SSL_SOCK_KEYTYPE_NAMES[j])) {
-						is_bundle = 1;
-						break;
-					}
-				}
-
-				if (is_bundle) {
-					int dp_len;
-
-					dp_len = end - de->d_name;
-
-					/* increment i and free de until we get to a non-bundle cert
-					 * Note here that we look at de_list[i + 1] before freeing de
-					 * this is important since ignore_entry will free de. This also
-					 * guarantees that de->d_name continues to hold the same prefix.
-					 */
-					while (i + 1 < n && !strncmp(de_list[i + 1]->d_name, de->d_name, dp_len)) {
-						free(de);
-						i++;
-						de = de_list[i];
-					}
-
-					snprintf(fp, sizeof(fp), "%s/%.*s", path, dp_len, de->d_name);
-					ckchs = ckchs_lookup(fp);
-					if (ckchs == NULL)
-						ckchs = ckchs_load_cert_file(fp, 1,  err);
-					if (ckchs == NULL) {
-						free(de);
-						free(entry);
-						cfgerr |= ERR_ALERT | ERR_FATAL;
-						goto end;
-					}
-					entry->node.key = ckchs;
-					entry->crtlist = dir;
-					LIST_ADDQ(&ckchs->crtlist_entry, &entry->by_ckch_store);
-					LIST_ADDQ(&dir->ord_entries, &entry->by_crtlist);
-					ebpt_insert(&dir->entries, &entry->node);
-
-					/* Successfully processed the bundle */
-					goto ignore_entry;
-				}
-			}
-
-#endif
 			ckchs = ckchs_lookup(fp);
 			if (ckchs == NULL)
 				ckchs = ckchs_load_cert_file(fp, 0,  err);
@@ -1109,10 +1055,6 @@
 		memprintf(&err, "certificate '%s' does not exist!", cert_path);
 		goto error;
 	}
-	if (store->multi) {
-		memprintf(&err, "certificate '%s' is a bundle. You can disable the bundle merging with the directive 'ssl-load-extra-files' in the global section.", cert_path);
-		goto error;
-	}
 	if (store->ckch == NULL || store->ckch->cert == NULL) {
 		memprintf(&err, "certificate '%s' is empty!", cert_path);
 		goto error;
@@ -1207,10 +1149,6 @@
 		memprintf(&err, "certificate '%s' does not exist!", cert_path);
 		goto error;
 	}
-	if (store->multi) {
-		memprintf(&err, "certificate '%s' is a bundle. You can disable the bundle merging with the directive 'ssl-load-extra-files' in the global section.", cert_path);
-		goto error;
-	}
 	if (store->ckch == NULL || store->ckch->cert == NULL) {
 		memprintf(&err, "certificate '%s' is empty!", cert_path);
 		goto error;