BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters

Since commit 244b070 ("MINOR: ssl/cli: support crt-list filters"),
HAProxy generates a list of filters based on the sni_ctx in memory.
However it's not always relevant, sometimes no filters were configured
and the CN/SAN in the new certificate are not the same.

This patch fixes the issue by using a flag filters in the ckch_inst, so
we are able to know if there were filters or not. In the late case it
uses the CN/SAN of the new certificate to generate the sni_ctx.

note: filters are still only used in the crt-list atm.
This commit is contained in:
William Lallemand 2020-03-09 16:56:39 +01:00 committed by William Lallemand
parent 0a52846603
commit 6763016866
2 changed files with 8 additions and 4 deletions

View File

@ -129,6 +129,7 @@ struct ckch_inst {
struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */ struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */ struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */ struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
unsigned int filters:1; /* using sni filters ? */
unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */ unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */
/* space for more flag there */ /* space for more flag there */
struct list sni_ctx; /* list of sni_ctx using this ckch_inst */ struct list sni_ctx; /* list of sni_ctx using this ckch_inst */

View File

@ -4188,6 +4188,7 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c
ckch_inst->bind_conf = bind_conf; ckch_inst->bind_conf = bind_conf;
ckch_inst->ssl_conf = ssl_conf; ckch_inst->ssl_conf = ssl_conf;
ckch_inst->ckch_store = ckchs; ckch_inst->ckch_store = ckchs;
ckch_inst->filters = !!fcount;
end: end:
if (names) if (names)
@ -4377,6 +4378,7 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs,
ckch_inst->bind_conf = bind_conf; ckch_inst->bind_conf = bind_conf;
ckch_inst->ssl_conf = ssl_conf; ckch_inst->ssl_conf = ssl_conf;
ckch_inst->ckch_store = ckchs; ckch_inst->ckch_store = ckchs;
ckch_inst->filters = !!fcount;
*ckchi = ckch_inst; *ckchi = ckch_inst;
return errcode; return errcode;
@ -11006,10 +11008,11 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
appctx->ctx.ssl.next_ckchi = ckchi; appctx->ctx.ssl.next_ckchi = ckchi;
goto yield; goto yield;
} }
if (ckchi->filters) {
errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err); errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
if (errcode & ERR_CODE) if (errcode & ERR_CODE)
goto error; goto error;
}
if (new_ckchs->multi) if (new_ckchs->multi)
errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err); errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);