Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 8ef0c2a5699c5c7fe559fb357594cb23fcd160bf^! / .
commit8ef0c2a5699c5c7fe559fb357594cb23fcd160bf[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Thu Nov 21 16:30:34 2019 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Thu Nov 21 17:48:11 2019 +0100
treeae15809d10933a943e3c7083034546b5f4ad2729
parent8b453912ce9a4e1a3b1329efb2af04d1e470852e [diff]
MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit

Apply the configuration of the ssl_bind_conf on the generated SSL_CTX.
It's a little bit hacky at the moment because the ssl_sock_prepare_ctx()
function was made for the configuration parsing, not for being using at
runtime. Only the 'verify' bind keyword seems to cause a file access so
we prevent it before calling the function.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9c0962c..27b9e09 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -10061,6 +10061,7 @@
 	struct ckch_store *old_ckchs, *new_ckchs = NULL;
 	struct ckch_inst *ckchi, *ckchis;
 	struct buffer *trash = alloc_trash_chunk();
+	struct sni_ctx *sc0, *sc0s;
 
 	if (trash == NULL)
 		goto error;
@@ -10103,6 +10104,7 @@
 				/* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */
 				list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
 					struct ckch_inst *new_inst;
+					int verify = 0;
 
 					/* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
 					if (y >= 10) {
@@ -10111,6 +10113,15 @@
 						goto yield;
 					}
 
+					/* prevent ssl_sock_prepare_ctx() to do file access which is only for verify (crl/ca file) */
+					verify = (ckchi->ssl_conf && ckchi->ssl_conf->verify) ? ckchi->ssl_conf->verify : ckchi->bind_conf->ssl_conf.verify;
+					if (verify & SSL_VERIFY_PEER) {
+						memprintf(&err, "%sCan't commit a certificate which use the 'verify' bind SSL option [%s:%d]\n", err ? err : "", ckchi->bind_conf->file, ckchi->bind_conf->line);
+						errcode |= ERR_FATAL | ERR_ABORT;
+						goto error;
+					}
+
+
 					if (new_ckchs->multi)
 						errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, NULL, 0, &new_inst, &err);
 					else
@@ -10123,6 +10134,17 @@
 					if (ckchi->is_default)
 						new_inst->is_default = 1;
 
+					/* we need to initialize the SSL_CTX generated */
+					/* TODO: the prepare_ctx function need to be reworked to be safer there */
+					list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {
+						if (!sc0->order) { /* we initiliazed only the first SSL_CTX because it's the same in the other sni_ctx's */
+							errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err);
+							if (errcode & ERR_CODE)
+								goto error;
+						}
+					}
+
+
 					/* display one dot per new instance */
 					chunk_appendf(trash, ".");
 					/* link the new ckch_inst to the duplicate */
@@ -10149,7 +10171,6 @@
 
 				/* delete the old sni_ctx, the old ckch_insts and the ckch_store */
 				list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
-					struct sni_ctx *sc0, *sc0s;
 
 					HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
 					list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {