MEDIUM: ssl: don't load file by discovering them in crt-store

In commit 55e9e9591 ("MEDIUM: ssl: temporarily load files by detecting
their presence in crt-store"), ssl_sock_load_pem_into_ckch() was
replaced by ssl_sock_load_files_into_ckch() in the crt-store loading.

But the side effect was that we always try to autodetect, and this is
not what we want. This patch reverse this, and add specific code in the
crt-list loading, so we could autodetect in crt-list like it was done
before, but still try to load files when a crt-store filename keyword is
specified.

Example:

These crt-list lines won't autodetect files:

    foobar.crt [key foobar.key issuer foobar.issuer ocsp-update on] *.foo.bar
    foobar.crt [key foobar.key] *.foo.bar

These crt-list lines will autodect files:

    foobar.pem [ocsp-update on] *.foo.bar
    foobar.pem

include/haproxy/ssl_ckch.h

@@ -82,7 +82,7 @@ extern struct cert_exts cert_exts[];
 extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);
 
 /* ckch_conf keyword loading */
-static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_files_into_ckch(value, d, err); }
+static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); }
 static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); }
 static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); }
 static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); }

reg-tests/ssl/crt_store.vtc

@@ -1,4 +1,4 @@
-#REGTEST_TYPE=broken
+#REGTEST_TYPE=devel
 varnishtest "Test the crt-store section"
 feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'"
 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"

src/ssl_ckch.c

@@ -1024,6 +1024,7 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *
 {
 	struct ckch_store *ckchs;
 	int cfgerr = ERR_NONE;
+	char *tmpcrt = conf->crt;
 
 	ckchs = ckch_store_new(name);
 	if (!ckchs) {
@@ -1031,10 +1032,25 @@ struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *
 		goto end;
 	}
 
+	/* this is done for retro-compatibility. When no "filename" crt-store
+	 * options were configured in a crt-list, try to load the files by
+	 * auto-detecting them. */
+	if ((conf->used == CKCH_CONF_SET_EMPTY || conf->used == CKCH_CONF_SET_CRTLIST) &&
+		(!conf->key && !conf->ocsp && !conf->issuer && !conf->sctl)) {
+		cfgerr = ssl_sock_load_files_into_ckch(conf->crt, ckchs->data, err);
+		if (cfgerr & ERR_FATAL)
+			goto end;
+		/* set conf->crt to NULL so it's not erased */
+		conf->crt = NULL;
+	}
+
+	/* load files using the ckch_conf */
 	cfgerr = ckch_store_load_files(conf, ckchs, 0, err);
 	if (cfgerr & ERR_FATAL)
 		goto end;
 
+	conf->crt = tmpcrt;
+
 	/* insert into the ckchs tree */
 	memcpy(ckchs->path, name, strlen(name) + 1);
 	ebst_insert(&ckchs_tree, &ckchs->node);

src/ssl_crtlist.c

@@ -606,13 +606,9 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 		if (ckchs == NULL) {
 			if (stat(crt_path, &buf) == 0) {
 				found++;
-				if (cc.used) {
+				free(cc.crt);
-					free(cc.crt);
+				cc.crt = strdup(crt_path);
-					cc.crt = strdup(crt_path);
+				ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err);
-					ckchs = ckch_store_new_load_files_conf(crt_path, &cc, err);
-				} else {
-					ckchs = ckch_store_new_load_files_path(crt_path, err);
-				}
 				if (ckchs == NULL) {
 					cfgerr |= ERR_ALERT | ERR_FATAL;
 					goto error;