BUG/MINOR: ssl: load correctly @system-ca when ca-base is define

The configuration parser still adds the 'ca-base' directory when loading the @system-ca, preventing it to be loaded correctly. This patch fixes the problem by not adding the ca-base when a file starts by '@'. Fix issue haproxy#2313. Must be backported as far as 2.6.
FireBurn · Oct 23, 2023 · b12613f · b12613f
1 parent 1428e7b
commit b12613f
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
@@ -674,7 +674,7 @@ static int ssl_bind_parse_ca_file_common(char **args, int cur_arg, char **ca_fil
 		return ERR_ALERT | ERR_FATAL;
 	}
 
-	if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
+	if ((*args[cur_arg + 1] != '/') && (*args[cur_arg + 1] != '@') && global_ssl.ca_base)
 		memprintf(ca_file_p, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
 	else
 		memprintf(ca_file_p, "%s", args[cur_arg + 1]);
@@ -714,7 +714,7 @@ static int bind_parse_ca_sign_file(char **args, int cur_arg, struct proxy *px, s
 		return ERR_ALERT | ERR_FATAL;
 	}
 
-	if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
+	if ((*args[cur_arg + 1] != '/') && (*args[cur_arg + 1] != '@') && global_ssl.ca_base)
 		memprintf(&conf->ca_sign_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
 	else
 		memprintf(&conf->ca_sign_file, "%s", args[cur_arg + 1]);
@@ -824,7 +824,7 @@ static int ssl_bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, s
 		return ERR_ALERT | ERR_FATAL;
 	}
 
-	if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
+	if ((*args[cur_arg + 1] != '/') && (*args[cur_arg + 1] != '@') && global_ssl.ca_base)
 		memprintf(&conf->crl_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
 	else
 		memprintf(&conf->crl_file, "%s", args[cur_arg + 1]);
@@ -1610,7 +1610,7 @@ static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct
 		return ERR_ALERT | ERR_FATAL;
 	}
 
-	if ((*args[*cur_arg + 1] != '/') && global_ssl.ca_base)
+	if ((*args[*cur_arg + 1] != '/') && (*args[*cur_arg + 1] != '@') && global_ssl.ca_base)
 		memprintf(&newsrv->ssl_ctx.ca_file, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
 	else
 		memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);
@@ -1782,7 +1782,7 @@ static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struc
 		return ERR_ALERT | ERR_FATAL;
 	}
 
-	if ((*args[*cur_arg + 1] != '/') && global_ssl.ca_base)
+	if ((*args[*cur_arg + 1] != '/') && (*args[*cur_arg + 1] != '@') && global_ssl.ca_base)
 		memprintf(&newsrv->ssl_ctx.crl_file, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
 	else
 		memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);