MINOR: ssl: Call callback function after loading SSL CRL data

Due to the possibility of calling a control process after adding CRLs, the ssl_commit_crlfile_cb variable was added. It is actually a pointer to the callback function, which is called if defined after initial loading of CRL data from disk and after committing CRL data via CLI command 'commit ssl crl-file ..'. If the callback function returns an error, then the CLI commit operation is terminated. Also, one case was added to the CLI context used by "commit cafile" and "commit crlfile": CACRL_ST_CRLCB in which the callback function is called. Signed-off-by: William Lallemand <wlallemand@haproxy.com>
2025-01-14 01:30:54 +00:00 · 2024-02-23 03:24:29 +01:00 · 2024-02-23 03:24:29 +01:00 · 3f771f5118
commit 3f771f5118
parent ba9f905da9
2 changed files with 31 additions and 0 deletions
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@ -70,6 +70,7 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);

 extern struct cert_exts cert_exts[];
+extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);

 #endif /* USE_OPENSSL */
 #endif /* _HAPROXY_SSL_CRTLIST_H */
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -111,6 +111,7 @@ struct commit_cacrlfile_ctx {
 	enum {
 		CACRL_ST_INIT = 0,
 		CACRL_ST_GEN,
+		CACRL_ST_CRLCB,
 		CACRL_ST_INSERT,
 		CACRL_ST_SUCCESS,
 		CACRL_ST_FIN,
@ -119,6 +120,18 @@ struct commit_cacrlfile_ctx {
 };


+/*
+ * Callback function, which is called if defined after loading CRLs from disk
+ * when starting HAProxy (function __ssl_store_load_locations_file()), and after
+ * committing new CRLs via CLI (function cli_io_handler_commit_cafile_crlfile()).
+ *
+ * The input parameters of the function are the path for the CRL data and
+ * a structure containing information about X.509 certificates and CRLs.
+ * In case of error, returns -1 with an error message in err; or the number
+ * of revoked certificates (>= 0) otherwise.
+ */
+int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err) = NULL;
+
 /********************  cert_key_and_chain functions *************************
 * These are the functions that fills a cert_key_and_chain structure. For the
 * functions filling a SSL_CTX from a cert_key_and_chain, see ssl_sock.c
@ -1402,6 +1415,14 @@ scandir_err:
 			goto err;
 		}

+		if (ssl_commit_crlfile_cb != NULL) {
+			if (ssl_commit_crlfile_cb(path, store, NULL) == -1) {
+				if (!shuterror)
+					ha_alert("crl-file: couldn't load '%s'\n", path);
+				goto err;
+			}
+		}
+
 		objs = X509_STORE_get0_objects(store);
 		cert_count = sk_X509_OBJECT_num(objs);
 		if (cert_count == 0) {
@ -2907,6 +2928,15 @@ static int cli_io_handler_commit_cafile_crlfile(struct appctx *appctx)
 					y++;
 				}

+				ctx->state = CACRL_ST_CRLCB;
+				__fallthrough;
+			case CACRL_ST_CRLCB:
+				if ((ctx->cafile_type == CAFILE_CRL) && (ssl_commit_crlfile_cb != NULL)) {
+					if (ssl_commit_crlfile_cb(crlfile_transaction.path, crlfile_transaction.new_crlfile_entry->ca_store, &ctx->err) == -1) {
+						ctx->state = CACRL_ST_ERROR;
+						goto error;
+					}
+				}
 				ctx->state = CACRL_ST_INSERT;
 				__fallthrough;
 			case CACRL_ST_INSERT: