CLEANUP: ssl: Move ssl_store related code to ssl_ckch.c

This patch moves all the ssl_store related code to ssl_ckch.c since it will mostly be used there once the CA file update CLI commands are all implemented. It also makes the cafile_entry structure visible as well as the cafile_tree.
2025-09-21 22:01:31 +02:00 · 2021-04-13 10:10:37 +02:00 · 2021-04-13 10:10:37 +02:00 · af8820a9a5
commit af8820a9a5
parent 1f97306ecc
6 changed files with 62 additions and 52 deletions
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@ -95,5 +95,16 @@ struct ckch_inst {
 	struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
 };
 /*
 * deduplicate cafile (and crlfile)
 */
 struct cafile_entry {
 	X509_STORE *ca_store;
 	STACK_OF(X509_NAME) *ca_list;
 	struct ebmb_node node;
 	char path[0];
 };
 #endif /* USE_OPENSSL */
 #endif /* _HAPROXY_SSL_CKCH_T_H */
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@ -54,5 +54,9 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
 void ckch_deinit();
 /* ssl_store functions */
 X509_STORE* ssl_store_get0_locations_file(char *path);
 int ssl_store_load_locations_file(char *path, int create_if_none);
 #endif /* USE_OPENSSL */
 #endif /* _HAPROXY_SSL_CRTLIST_H */
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@ -36,6 +36,7 @@ extern int sslconns;
 extern int totalsslconns;
 extern struct eb_root ckchs_tree;
 extern struct eb_root crtlists_tree;
 extern struct eb_root cafile_tree;
 extern int sctl_ex_index;
 extern struct global_ssl global_ssl;
 extern struct ssl_bind_kw ssl_bind_kws[];
@ -120,7 +121,6 @@ int ssl_sock_load_srv_cert(char *path, struct server *server, char **err);
 void ssl_free_global_issuers(void);
 int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
 int ssl_init_single_engine(const char *engine_id, const char *def_algorithms);
 int ssl_store_load_locations_file(char *path, int create_if_none);
 /* ssl shctx macro */
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@ -38,6 +38,7 @@
 #include <haproxy/openssl-compat.h>
 #include <haproxy/ssl_sock.h>
 #include <haproxy/tools.h>
 #include <haproxy/ssl_ckch.h>
 /****************** Global Section Parsing ********************************************/
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -921,6 +921,51 @@ struct ckch_inst *ckch_inst_new()
 	return ckch_inst;
 }
 /********************  ssl_store functions ******************************/
 struct eb_root cafile_tree = EB_ROOT_UNIQUE;
 X509_STORE* ssl_store_get0_locations_file(char *path)
 {
 	struct ebmb_node *eb;
 	eb = ebst_lookup(&cafile_tree, path);
 	if (eb) {
 		struct cafile_entry *ca_e;
 		ca_e = ebmb_entry(eb, struct cafile_entry, node);
 		return ca_e->ca_store;
 	}
 	return NULL;
 }
 int ssl_store_load_locations_file(char *path, int create_if_none)
 {
 	X509_STORE *store = ssl_store_get0_locations_file(path);
 	/* If this function is called by the CLI, we should not call the
 	 * X509_STORE_load_locations function because it performs forbidden disk
 	 * accesses. */
 	if (!store && create_if_none) {
 		struct cafile_entry *ca_e;
 		store = X509_STORE_new();
 		if (X509_STORE_load_locations(store, path, NULL)) {
 			int pathlen;
 			pathlen = strlen(path);
 			ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
 			if (ca_e) {
 				memcpy(ca_e->path, path, pathlen + 1);
 				ca_e->ca_store = store;
 				ebst_insert(&cafile_tree, &ca_e->node);
 			}
 		} else {
 			X509_STORE_free(store);
 			store = NULL;
 		}
 	}
 	return (store != NULL);
 }
 /*************************** CLI commands ***********************/
 /* Type of SSL payloads that can be updated over the CLI */
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -315,57 +315,6 @@ static int ssl_locking_init(void)
 __decl_thread(HA_SPINLOCK_T ckch_lock);
 /*
 * deduplicate cafile (and crlfile)
 */
 struct cafile_entry {
 	X509_STORE *ca_store;
 	STACK_OF(X509_NAME) *ca_list;
 	struct ebmb_node node;
 	char path[0];
 };
 static struct eb_root cafile_tree = EB_ROOT_UNIQUE;
 static X509_STORE* ssl_store_get0_locations_file(char *path)
 {
 	struct ebmb_node *eb;
 	eb = ebst_lookup(&cafile_tree, path);
 	if (eb) {
 		struct cafile_entry *ca_e;
 		ca_e = ebmb_entry(eb, struct cafile_entry, node);
 		return ca_e->ca_store;
 	}
 	return NULL;
 }
 int ssl_store_load_locations_file(char *path, int create_if_none)
 {
 	X509_STORE *store = ssl_store_get0_locations_file(path);
 	/* If this function is called by the CLI, we should not call the
 	 * X509_STORE_load_locations function because it performs forbidden disk
 	 * accesses. */
 	if (!store && create_if_none) {
 		struct cafile_entry *ca_e;
 		store = X509_STORE_new();
 		if (X509_STORE_load_locations(store, path, NULL)) {
 			int pathlen;
 			pathlen = strlen(path);
 			ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
 			if (ca_e) {
 				memcpy(ca_e->path, path, pathlen + 1);
 				ca_e->ca_store = store;
 				ebst_insert(&cafile_tree, &ca_e->node);
 			}
 		} else {
 			X509_STORE_free(store);
 			store = NULL;
 		}
 	}
 	return (store != NULL);
 }
 /* mimic what X509_STORE_load_locations do with store_ctx */
 static int ssl_set_cert_crl_file(X509_STORE *store_ctx, char *path)