Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / b90d2cbc4248a760493e3ce8a68ace5cdca8d97e^! / . / src / ssl_sock.c
commitb90d2cbc4248a760493e3ce8a68ace5cdca8d97e[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Tue Feb 18 15:27:32 2020 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Wed Feb 26 13:06:04 2020 +0100
tree4f18e70b1785a07802bfa6478ba76fbd0879e367
parent75a7aa13da80959970c5b558c0c6beb473dbddd5 [diff] [blame]
MINOR: ssl: resolve issuers chain later

The goal is to use the ckch to store data from a loaded PEM file or a
<payload> and only for that. This patch addresses the ckch->chain case.
Looking for the issuers chain, if no chain is present in the ckch, can
be done in ssl_sock_put_ckch_into_ctx(). This way it is possible to know
the origin of the certificate chain without an extra state.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2f2dc98..00793b7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3356,17 +3356,6 @@
 			goto end;
 		}
 	}
-	/* Find Certificate Chain in global */
-	if (chain == NULL) {
-		struct issuer_chain *issuer;
-		issuer = ssl_get_issuer_chain(cert);
-		if (issuer)
-			chain = X509_chain_up_ref(issuer->chain);
-	}
-	/* no chain */
-	if (chain == NULL) {
-		chain = sk_X509_new_null();
-	}
 
 	ret = ERR_get_error();
 	if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
@@ -3619,6 +3608,7 @@
 static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
 {
 	int errcode = 0;
+	STACK_OF(X509) *find_chain = NULL;
 
 	if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
 		memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
@@ -3634,9 +3624,18 @@
 		goto end;
 	}
 
+	if (ckch->chain) {
+		find_chain = ckch->chain;
+	} else {
+		/* Find Certificate Chain in global */
+		struct issuer_chain *issuer;
+		issuer = ssl_get_issuer_chain(ckch->cert);
+		if (issuer)
+			find_chain = issuer->chain;
+	}
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
 #ifdef SSL_CTX_set1_chain
-        if (!SSL_CTX_set1_chain(ctx, ckch->chain)) {
+        if (!SSL_CTX_set1_chain(ctx, find_chain)) {
 		memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
 			  err && *err ? *err : "", path);
 		errcode |= ERR_ALERT | ERR_FATAL;
@@ -3646,7 +3645,7 @@
 	{ /* legacy compat (< openssl 1.0.2) */
 		X509 *ca;
 		STACK_OF(X509) *chain;
-		chain = X509_chain_up_ref(ckch->chain);
+		chain = X509_chain_up_ref(find_chain);
 		while ((ca = sk_X509_shift(chain)))
 			if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
 				memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",