Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / ccc0355c413ad3bc808ee3eaf3b8e69516025cca^! / .
commitccc0355c413ad3bc808ee3eaf3b8e69516025cca[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Tue May 17 15:18:37 2022 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Tue May 17 18:09:17 2022 +0200
tree1c2ee8de390c795e7ee4bbc5b97f077b65ee41d3
parent96816b075511f730522dffc12c20793b7e4ea959 [diff]
MINOR: ssl: Add 'ssl-provider-path' global option

When loading providers with 'ssl-provider' global options, this
ssl-provider-path option can be used to set the search path that is to
be used by openssl. It behaves the same way as the OPENSSL_MODULES
environment variable.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 8198181..7293a3c 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -1052,6 +1052,7 @@
    - ssl-dh-param-file
    - ssl-propquery
    - ssl-provider
+   - ssl-provider-path
    - ssl-server-verify
    - ssl-skip-self-issued-ca
    - unix-bind
@@ -2090,7 +2091,16 @@
   "openssl version -a" command. If the provider is in another directory, you
   can set the OPENSSL_MODULES environment variable, which takes the directory
   where your provider can be found.
-  See also "ssl-propquery".
+  See also "ssl-propquery" and "ssl-provider-path".
+
+ssl-provider-path <path>
+  This setting is only available when support for OpenSSL was built in and when
+  OpenSSL's version is at least 3.0. It allows to specify the search path that
+  is to be used by OpenSSL for looking for providers. It behaves the same way
+  as the OPENSSL_MODULES environment variable. It will be used for any
+  following 'ssl-provider' option or until a new 'ssl-provider-path' is
+  defined.
+  See also "ssl-provider".
 
 ssl-load-extra-del-ext
   This setting allows to configure the way HAProxy does the lookup for the

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 326cc21..6530775 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c

@@ -220,6 +220,23 @@
 
 	return ret;
 }
+
+/* parse the "ssl-provider-path" keyword in global section.
+ * Returns <0 on alert, >0 on warning, 0 on success.
+ */
+static int ssl_parse_global_ssl_provider_path(char **args, int section_type, struct proxy *curpx,
+					      const struct proxy *defpx, const char *file, int line,
+					      char **err)
+{
+	if (*(args[1]) == 0) {
+		memprintf(err, "global statement '%s' expects a directory path as an argument.", args[0]);
+		return -1;
+	}
+
+	OSSL_PROVIDER_set_default_search_path(NULL, args[1]);
+
+	return 0;
+}
 #endif
 
 /* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords
@@ -1981,6 +1998,7 @@
 #ifdef HAVE_SSL_PROVIDERS
 	{ CFG_GLOBAL, "ssl-propquery",  ssl_parse_global_ssl_propquery },
 	{ CFG_GLOBAL, "ssl-provider",  ssl_parse_global_ssl_provider },
+	{ CFG_GLOBAL, "ssl-provider-path",  ssl_parse_global_ssl_provider_path },
 #endif
 	{ CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
 	{ CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },