REORG: ssl: move the ckch structures to types/ssl_ckch.h

Move all the structures used for loading the SSL certificates in ssl_ckch.h
2025-09-22 06:11:32 +02:00 · 2020-05-12 14:46:24 +02:00 · 2020-05-12 14:46:24 +02:00 · d4632b2b6d
commit d4632b2b6d
parent be21b663cd
4 changed files with 107 additions and 53 deletions
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@ -34,6 +34,8 @@

 extern int sslconns;
 extern int totalsslconns;
+extern struct global_ssl global_ssl;
+extern struct ssl_bind_kw ssl_bind_kws[];

 /* boolean, returns true if connection is over SSL */
 static inline
--- a/include/types/ssl_ckch.h
+++ b/include/types/ssl_ckch.h
@ -0,0 +1,92 @@
+/*
+ * include/types/ssl_ckch.h
+ * ckch structures
+ *
+ * Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+
+/* The ckch (cert key and chain) structures are a group of structures used to
+ * cache and manipulate the certificates files loaded from the configuration
+ * file and the CLI Every certificate change made in a SSL_CTX should be done
+ * in these structures before being applied to a SSL_CTX.
+ *
+ * The complete architecture is described in doc/internals/ssl_cert.dia
+ */
+
+
+#ifndef _TYPES_SSL_CKCH_H
+#define _TYPES_SSL_CKCH_H
+#ifdef USE_OPENSSL
+
+#include <common/mini-clist.h>
+#include <common/openssl-compat.h>
+
+/* This is used to preload the certificate, private key
+ * and Cert Chain of a file passed in via the crt
+ * argument
+ *
+ * This way, we do not have to read the file multiple times
+ *
+ * This structure is the base one, in the case of a multi-cert bundle, we
+ *  allocate 1 structure per type.
+ */
+struct cert_key_and_chain {
+	X509 *cert;
+	EVP_PKEY *key;
+	STACK_OF(X509) *chain;
+	DH *dh;
+	struct buffer *sctl;
+	struct buffer *ocsp_response;
+	X509 *ocsp_issuer;
+};
+
+/*
+ * this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and
+ * metadata.
+ *
+ * XXX: Once we remove the multi-cert bundle support, we could merge this structure
+ * with the cert_key_and_chain one.
+ */
+struct ckch_store {
+	struct cert_key_and_chain *ckch;
+	unsigned int multi:1;  /* is it a multi-cert bundle ? */
+	struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
+	struct list crtlist_entry; /* list of entries which use this store */
+	struct ebmb_node node;
+	char path[0];
+};
+
+/*
+ * This structure describe a ckch instance. An instance is generated for each
+ * bind_conf.  The instance contains a linked list of the sni ctx which uses
+ * the ckch in this bind_conf.
+ */
+struct ckch_inst {
+	struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
+	struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
+	struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
+	struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */
+	unsigned int is_default:1;      /* This instance is used as the default ctx for this bind_conf */
+	/* space for more flag there */
+	struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
+	struct list by_ckchs; /* chained in ckch_store's list of ckch_inst */
+	struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
+};
+
+#endif /* USE_OPENSSL */
+#endif /* _TYPES_SSL_CKCH_H */
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@ -27,6 +27,7 @@
 #include <ebmbtree.h>
 #include <eb64tree.h>

+#include <types/ssl_ckch.h>
 #include <types/ssl_crtlist.h>

 #include <common/hathreads.h>
@ -181,53 +182,6 @@ enum {
 	SETCERT_ST_FIN,
 };

-/* This is used to preload the certificate, private key
- * and Cert Chain of a file passed in via the crt
- * argument
- *
- * This way, we do not have to read the file multiple times
- */
-struct cert_key_and_chain {
-	X509 *cert;
-	EVP_PKEY *key;
-	STACK_OF(X509) *chain;
-	DH *dh;
-	struct buffer *sctl;
-	struct buffer *ocsp_response;
-	X509 *ocsp_issuer;
-};
-
-/*
- * this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and
- * metadata.
- */
-struct ckch_store {
-	struct cert_key_and_chain *ckch;
-	unsigned int multi:1;  /* is it a multi-cert bundle ? */
-	struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
-	struct list crtlist_entry; /* list of entries which use this store */
-	struct ebmb_node node;
-	char path[0];
-};
-
-/*
- * This structure describe a ckch instance. An instance is generated for each
- * bind_conf.  The instance contains a linked list of the sni ctx which uses
- * the ckch in this bind_conf.
- */
-struct ckch_inst {
-	struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
-	struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
-	struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
-	struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */
-	unsigned int is_default:1;      /* This instance is used as the default ctx for this bind_conf */
-	/* space for more flag there */
-	struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
-	struct list by_ckchs; /* chained in ckch_store's list of ckch_inst */
-	struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
-};
-
-
 #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL

 #define SSL_SOCK_POSSIBLE_KT_COMBOS (1<<(SSL_SOCK_NUM_KEYTYPES))
@ -310,5 +264,16 @@ struct global_ssl {
 	int extra_files; /* which files not defined in the configuration file are we looking for */
 };

+#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
+/* The order here matters for picking a default context,
+ * keep the most common keytype at the bottom of the list
+ */
+extern const char *SSL_SOCK_KEYTYPE_NAMES[];
+
+#define SSL_SOCK_NUM_KEYTYPES 3
+#else
+#define SSL_SOCK_NUM_KEYTYPES 1
+#endif
+
 #endif /* USE_OPENSSL */
 #endif /* _TYPES_SSL_SOCK_H */
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -512,8 +512,6 @@ __decl_rwlock(ssl_ctx_lru_rwlock);

 #endif // SSL_CTRL_SET_TLSEXT_HOSTNAME

-static struct ssl_bind_kw ssl_bind_kws[];
-
 #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
 /* The order here matters for picking a default context,
 * keep the most common keytype at the bottom of the list
@ -523,9 +521,6 @@ const char *SSL_SOCK_KEYTYPE_NAMES[] = {
 	"ecdsa",
 	"rsa"
 };
-#define SSL_SOCK_NUM_KEYTYPES 3
-#else
-#define SSL_SOCK_NUM_KEYTYPES 1
 #endif

 static struct shared_context *ssl_shctx = NULL; /* ssl shared session cache */
@ -12772,7 +12767,7 @@ INITCALL1(STG_REGISTER, acl_register_keywords, &acl_kws);

 /* the <ssl_bind_kws> keywords are used for crt-list parsing, they *MUST* be safe
 * with their proxy argument NULL and must only fill the ssl_bind_conf */
-static struct ssl_bind_kw ssl_bind_kws[] = {
+struct ssl_bind_kw ssl_bind_kws[] = {
 	{ "allow-0rtt",            ssl_bind_parse_allow_0rtt,       0 }, /* allow 0-RTT */
 	{ "alpn",                  ssl_bind_parse_alpn,             1 }, /* set ALPN supported protocols */
 	{ "ca-file",               ssl_bind_parse_ca_file,          1 }, /* set CAfile to process ca-names and verify on client cert */