From e6657fd1085ef5c5430524a45c1cd4fff95fce5d Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 21 May 2024 16:50:59 +0200
Subject: [PATCH] MEDIUM: ssl: don't load file by discovering them in crt-store

In commit 55e9e9591 ("MEDIUM: ssl: temporarily load files by detecting
their presence in crt-store"), ssl_sock_load_pem_into_ckch() was
replaced by ssl_sock_load_files_into_ckch() in the crt-store loading.

But the side effect was that we always try to autodetect, and this is
not what we want. This patch reverse this, and add specific code in the
crt-list loading, so we could autodetect in crt-list like it was done
before, but still try to load files when a crt-store filename keyword is
specified.

Example:

These crt-list lines won't autodetect files:

    foobar.crt [key foobar.key issuer foobar.issuer ocsp-update on] *.foo.bar
    foobar.crt [key foobar.key] *.foo.bar

These crt-list lines will autodect files:

    foobar.pem [ocsp-update on] *.foo.bar
    foobar.pem
---
 include/haproxy/ssl_ckch.h  |  2 +-
 reg-tests/ssl/crt_store.vtc |  2 +-
 src/ssl_ckch.c              | 16 ++++++++++++++++
 src/ssl_crtlist.c           | 10 +++-------
 4 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 37f926582..e6356637f 100644
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -82,7 +82,7 @@ extern struct cert_exts cert_exts[];
 extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);
 
 /* ckch_conf keyword loading */
-static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_files_into_ckch(value, d, err); }
+static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); }
 static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); }
 static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); }
 static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); }
diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc
index 3b61712d8..685183ed9 100644
--- a/reg-tests/ssl/crt_store.vtc
+++ b/reg-tests/ssl/crt_store.vtc
@@ -1,4 +1,4 @@
-#REGTEST_TYPE=broken
+#REGTEST_TYPE=devel
 varnishtest "Test the crt-store section"
 feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'"
 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 9961e025b..b178078d8 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1024,6 +1024,7 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *
 {
 	struct ckch_store *ckchs;
 	int cfgerr = ERR_NONE;
+	char *tmpcrt = conf->crt;
 
 	ckchs = ckch_store_new(name);
 	if (!ckchs) {
@@ -1031,10 +1032,25 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *
 		goto end;
 	}
 
+	/* this is done for retro-compatibility. When no "filename" crt-store
+	 * options were configured in a crt-list, try to load the files by
+	 * auto-detecting them. */
+	if ((conf->used == CKCH_CONF_SET_EMPTY || conf->used == CKCH_CONF_SET_CRTLIST) &&
+		(!conf->key && !conf->ocsp && !conf->issuer && !conf->sctl)) {
+		cfgerr = ssl_sock_load_files_into_ckch(conf->crt, ckchs->data, err);
+		if (cfgerr & ERR_FATAL)
+			goto end;
+		/* set conf->crt to NULL so it's not erased */
+		conf->crt = NULL;
+	}
+
+	/* load files using the ckch_conf */
 	cfgerr = ckch_store_load_files(conf, ckchs, 0, err);
 	if (cfgerr & ERR_FATAL)
 		goto end;
 
+	conf->crt = tmpcrt;
+
 	/* insert into the ckchs tree */
 	memcpy(ckchs->path, name, strlen(name) + 1);
 	ebst_insert(&ckchs_tree, &ckchs->node);
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index d1c7ef992..71fa0a0b1 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -606,13 +606,9 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 		if (ckchs == NULL) {
 			if (stat(crt_path, &buf) == 0) {
 				found++;
-				if (cc.used) {
-					free(cc.crt);
-					cc.crt = strdup(crt_path);
-					ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err);
-				} else {
-					ckchs = ckch_store_new_load_files_path(crt_path, err);
-				}
+				free(cc.crt);
+				cc.crt = strdup(crt_path);
+				ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err);
 				if (ckchs == NULL) {
 					cfgerr |= ERR_ALERT | ERR_FATAL;
 					goto error;