diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h index 0751f70a0..1fa3973a8 100644 --- a/include/proto/ssl_sock.h +++ b/include/proto/ssl_sock.h @@ -34,6 +34,8 @@ extern int sslconns; extern int totalsslconns; +extern struct global_ssl global_ssl; +extern struct ssl_bind_kw ssl_bind_kws[]; /* boolean, returns true if connection is over SSL */ static inline diff --git a/include/types/ssl_ckch.h b/include/types/ssl_ckch.h new file mode 100644 index 000000000..3a49b40f1 --- /dev/null +++ b/include/types/ssl_ckch.h @@ -0,0 +1,92 @@ +/* + * include/types/ssl_ckch.h + * ckch structures + * + * Copyright (C) 2020 HAProxy Technologies, William Lallemand + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation, version 2.1 + * exclusively. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + + +/* The ckch (cert key and chain) structures are a group of structures used to + * cache and manipulate the certificates files loaded from the configuration + * file and the CLI Every certificate change made in a SSL_CTX should be done + * in these structures before being applied to a SSL_CTX. + * + * The complete architecture is described in doc/internals/ssl_cert.dia + */ + + +#ifndef _TYPES_SSL_CKCH_H +#define _TYPES_SSL_CKCH_H +#ifdef USE_OPENSSL + +#include +#include + +/* This is used to preload the certificate, private key + * and Cert Chain of a file passed in via the crt + * argument + * + * This way, we do not have to read the file multiple times + * + * This structure is the base one, in the case of a multi-cert bundle, we + * allocate 1 structure per type. + */ +struct cert_key_and_chain { + X509 *cert; + EVP_PKEY *key; + STACK_OF(X509) *chain; + DH *dh; + struct buffer *sctl; + struct buffer *ocsp_response; + X509 *ocsp_issuer; +}; + +/* + * this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and + * metadata. + * + * XXX: Once we remove the multi-cert bundle support, we could merge this structure + * with the cert_key_and_chain one. + */ +struct ckch_store { + struct cert_key_and_chain *ckch; + unsigned int multi:1; /* is it a multi-cert bundle ? */ + struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */ + struct list crtlist_entry; /* list of entries which use this store */ + struct ebmb_node node; + char path[0]; +}; + +/* + * This structure describe a ckch instance. An instance is generated for each + * bind_conf. The instance contains a linked list of the sni ctx which uses + * the ckch in this bind_conf. + */ +struct ckch_inst { + struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */ + struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */ + struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */ + struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */ + unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */ + /* space for more flag there */ + struct list sni_ctx; /* list of sni_ctx using this ckch_inst */ + struct list by_ckchs; /* chained in ckch_store's list of ckch_inst */ + struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */ +}; + +#endif /* USE_OPENSSL */ +#endif /* _TYPES_SSL_CKCH_H */ diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h index 1c95eb7e5..e6b092e66 100644 --- a/include/types/ssl_sock.h +++ b/include/types/ssl_sock.h @@ -27,6 +27,7 @@ #include #include +#include #include #include @@ -181,53 +182,6 @@ enum { SETCERT_ST_FIN, }; -/* This is used to preload the certificate, private key - * and Cert Chain of a file passed in via the crt - * argument - * - * This way, we do not have to read the file multiple times - */ -struct cert_key_and_chain { - X509 *cert; - EVP_PKEY *key; - STACK_OF(X509) *chain; - DH *dh; - struct buffer *sctl; - struct buffer *ocsp_response; - X509 *ocsp_issuer; -}; - -/* - * this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and - * metadata. - */ -struct ckch_store { - struct cert_key_and_chain *ckch; - unsigned int multi:1; /* is it a multi-cert bundle ? */ - struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */ - struct list crtlist_entry; /* list of entries which use this store */ - struct ebmb_node node; - char path[0]; -}; - -/* - * This structure describe a ckch instance. An instance is generated for each - * bind_conf. The instance contains a linked list of the sni ctx which uses - * the ckch in this bind_conf. - */ -struct ckch_inst { - struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */ - struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */ - struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */ - struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */ - unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */ - /* space for more flag there */ - struct list sni_ctx; /* list of sni_ctx using this ckch_inst */ - struct list by_ckchs; /* chained in ckch_store's list of ckch_inst */ - struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */ -}; - - #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL #define SSL_SOCK_POSSIBLE_KT_COMBOS (1<<(SSL_SOCK_NUM_KEYTYPES)) @@ -310,5 +264,16 @@ struct global_ssl { int extra_files; /* which files not defined in the configuration file are we looking for */ }; +#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL +/* The order here matters for picking a default context, + * keep the most common keytype at the bottom of the list + */ +extern const char *SSL_SOCK_KEYTYPE_NAMES[]; + +#define SSL_SOCK_NUM_KEYTYPES 3 +#else +#define SSL_SOCK_NUM_KEYTYPES 1 +#endif + #endif /* USE_OPENSSL */ #endif /* _TYPES_SSL_SOCK_H */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d1b263e50..c33bf4e4e 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -512,8 +512,6 @@ __decl_rwlock(ssl_ctx_lru_rwlock); #endif // SSL_CTRL_SET_TLSEXT_HOSTNAME -static struct ssl_bind_kw ssl_bind_kws[]; - #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL /* The order here matters for picking a default context, * keep the most common keytype at the bottom of the list @@ -523,9 +521,6 @@ const char *SSL_SOCK_KEYTYPE_NAMES[] = { "ecdsa", "rsa" }; -#define SSL_SOCK_NUM_KEYTYPES 3 -#else -#define SSL_SOCK_NUM_KEYTYPES 1 #endif static struct shared_context *ssl_shctx = NULL; /* ssl shared session cache */ @@ -12772,7 +12767,7 @@ INITCALL1(STG_REGISTER, acl_register_keywords, &acl_kws); /* the keywords are used for crt-list parsing, they *MUST* be safe * with their proxy argument NULL and must only fill the ssl_bind_conf */ -static struct ssl_bind_kw ssl_bind_kws[] = { +struct ssl_bind_kw ssl_bind_kws[] = { { "allow-0rtt", ssl_bind_parse_allow_0rtt, 0 }, /* allow 0-RTT */ { "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */ { "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process ca-names and verify on client cert */