Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / db26e2b00e6c4efa9870f984a094f4f78c5a09b8^! / . / src / ssl_sock.c
commitdb26e2b00e6c4efa9870f984a094f4f78c5a09b8[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Tue Jan 26 12:01:46 2021 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Tue Jan 26 15:19:36 2021 +0100
treeb741f8ec9718e3a4912b891c36f4dc4c2961ad8d
parent795bd9ba3a95e3a1f491b5304b1641855215f1e9 [diff] [blame]
CLEANUP: ssl: make load_srv_{ckchs,cert} match their bind counterpart

This patch makes things more consistent between the bind_conf functions
and the server ones:

- ssl_sock_load_srv_ckchs() loads the SSL_CTX in the server
  (ssl_sock_load_ckchs() load the SNIs in the bind_conf)

- add the server parameter to ssl_sock_load_srv_ckchs()

- changes made to the ckch_inst are done in
  ckch_inst_new_load_srv_store()

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0776742..ee52aa0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3493,6 +3493,7 @@
 	ckch_inst->ssl_conf = NULL;
 	ckch_inst->ckch_store = ckchs;
 	ckch_inst->ctx = ctx;
+	ckch_inst->is_server_instance = 1;
 
 	*ckchi = ckch_inst;
 	return errcode;
@@ -3528,8 +3529,12 @@
 	return errcode;
 }
 
+/* This function generates a <struct ckch_inst *> for a <struct server *>, and
+ * fill the SSL_CTX of the server.
+ *
+ * Returns a set of ERR_* flags possibly with an error in <err>. */
 static int ssl_sock_load_srv_ckchs(const char *path, struct ckch_store *ckchs,
-				   struct ckch_inst **ckch_inst, char **err)
+				   struct server *server, struct ckch_inst **ckch_inst, char **err)
 {
 	int errcode = 0;
 
@@ -3539,6 +3544,10 @@
 	if (errcode & ERR_CODE)
 		return errcode;
 
+	(*ckch_inst)->server = server;
+	/* Keep the reference to the SSL_CTX in the server. */
+	SSL_CTX_up_ref((*ckch_inst)->ctx);
+	server->ssl_ctx.ctx = (*ckch_inst)->ctx;
 	/* succeed, add the instance to the ckch_store's list of instance */
 	LIST_ADDQ(&ckchs->ckch_inst, &((*ckch_inst)->by_ckchs));
 	return errcode;
@@ -3743,7 +3752,7 @@
 
 	if ((ckchs = ckchs_lookup(path))) {
 		/* we found the ckchs in the tree, we can use it directly */
-		 cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, &server->ssl_ctx.inst, err);
+		 cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
 		 found++;
 	} else if (stat(path, &buf) == 0) {
 		/* We do not manage directories on backend side. */
@@ -3752,16 +3761,7 @@
 			ckchs =  ckchs_load_cert_file(path, err);
 			if (!ckchs)
 				cfgerr |= ERR_ALERT | ERR_FATAL;
-			cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, &server->ssl_ctx.inst, err);
-			if (server->ssl_ctx.inst) {
-				server->ssl_ctx.inst->is_server_instance = 1;
-				server->ssl_ctx.inst->server = server;
-				/* Keep a reference to the SSL_CTX in the
-				 * ckch_inst in order to ease certificate update
-				 * (via CLI). */
-				SSL_CTX_up_ref(server->ssl_ctx.ctx);
-				server->ssl_ctx.inst->ctx = server->ssl_ctx.ctx;
-			}
+			cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
 		}
 	}
 	if (!found) {