mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-13 18:46:57 +02:00
Code Issues Projects Releases Wiki Activity
deb978149a
haproxy/include/haproxy/ssl_ckch-t.h
Remi Tricot-Le Breton fb2b9988e8 MINOR: ssl: Store 'ocsp-update' mode in the ckch_data and check for inconsistencies 
The 'ocsp-update' option is parsed at the same time as all the other
bind line options but it does not actually have anything to do with the
bind line since it concerns the frontend certificate instead. For that
reason, we should have a mean to identify inconsistencies in the
configuration and raise an error when a given certificate has two
different ocsp-update modes specified in one or more crt-lists.
The simplest way to do it is to store the ocsp update mode directly in
the ckch and not only in the ssl_bind_conf.
2022-12-21 11:21:07 +01:00

163 lines
5.1 KiB
C
Raw Blame History

/*
* include/haproxy/ssl_ckch-t.h
* ckch structures
*
* Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation, version 2.1
* exclusively.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/* The ckch (cert key and chain) structures are a group of structures used to
* cache and manipulate the certificates files loaded from the configuration
* file and the CLI Every certificate change made in a SSL_CTX should be done
* in these structures before being applied to a SSL_CTX.
*
* The complete architecture is described in doc/internals/ssl_cert.dia
*/
#ifndef _HAPROXY_SSL_CKCH_T_H
#define _HAPROXY_SSL_CKCH_T_H
#ifdef USE_OPENSSL
#include <import/ebtree-t.h>
#include <haproxy/buf-t.h>
#include <haproxy/openssl-compat.h>
/* This is used to preload the certificate, private key
* and Cert Chain of a file passed in via the crt
* argument
*
* This way, we do not have to read the file multiple times
*
* This structure is the base one, in the case of a multi-cert bundle, we
* allocate 1 structure per type.
*/
struct ckch_data {
X509 *cert;
EVP_PKEY *key;
STACK_OF(X509) *chain;
HASSL_DH *dh;
struct buffer *sctl;
struct buffer *ocsp_response;
X509 *ocsp_issuer;
OCSP_CERTID *ocsp_cid;
int ocsp_update_mode;
};
/*
* this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and
* metadata.
*
* "ckch" for cert, key and chain.
*
* XXX: Once we remove the multi-cert bundle support, we could merge this structure
* with the cert_key_and_chain one.
*/
struct ckch_store {
struct ckch_data *data;
struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
struct list crtlist_entry; /* list of entries which use this store */
struct ebmb_node node;
char path[VAR_ARRAY];
};
/* forward declarations for ckch_inst */
struct ssl_bind_conf;
struct crtlist_entry;
/* Used to keep a list of all the instances using a specific cafile_entry.
* It enables to link instances regardless of how they are using the CA file
* (either via the ca-file, ca-verify-file or crl-file option). */
struct ckch_inst_link {
struct ckch_inst *ckch_inst;
struct list list;
};
/* Used to keep in a ckch instance a list of all the ckch_inst_link which
* reference it. This way, when deleting a ckch_inst, we can ensure that no
* dangling reference on it will remain. */
struct ckch_inst_link_ref {
struct ckch_inst_link *link;
struct list list;
};
/*
* This structure describe a ckch instance. An instance is generated for each
* bind_conf. The instance contains a linked list of the sni ctx which uses
* the ckch in this bind_conf.
*/
struct ckch_inst {
struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */
struct server *server; /* pointer to the server if is_server_instance is set, NULL otherwise */
SSL_CTX *ctx; /* pointer to the SSL context used by this instance */
unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */
unsigned int is_server_instance:1; /* This instance is used by a backend server */
/* space for more flag there */
struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
struct list by_ckchs; /* chained in ckch_store's list of ckch_inst */
struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
struct list cafile_link_refs; /* list of ckch_inst_link pointing to this instance */
};
/* Option through which a cafile_entry was created, either
* ca-file/ca-verify-file or crl-file. */
enum cafile_type {
CAFILE_CERT,
CAFILE_CRL
};
/*
* deduplicate cafile (and crlfile)
*/
struct cafile_entry {
X509_STORE *ca_store;
STACK_OF(X509_NAME) *ca_list;
struct list ckch_inst_link; /* list of ckch_inst which use this CA file entry */
enum cafile_type type;
struct ebmb_node node;
char path[0];
};
enum {
CERT_TYPE_PEM = 0,
CERT_TYPE_CRT,
CERT_TYPE_KEY,
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
CERT_TYPE_OCSP,
#endif
CERT_TYPE_ISSUER,
#ifdef HAVE_SSL_SCTL
CERT_TYPE_SCTL,
#endif
CERT_TYPE_MAX,
};
struct cert_exts {
const char *ext;
int type;
int (*load)(const char *path, char *payload, struct ckch_data *data, char **err);
/* add a parsing callback */
};
#endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_CKCH_T_H */
Reference in New Issue View Git Blame Copy Permalink