MEDIUM: ssl: rename the struct "cert_key_and_chain" to "ckch_data"

Rename the structure "cert_key_and_chain" to "ckch_data" in order to avoid confusion with the store whcih often called "ckchs". The "cert_key_and_chain *ckch" were renamed "ckch_data *data", so we now have store->data instead of ckchs->ckch. Marked medium because it changes the API.
2025-04-28 13:58:08 +00:00 · 2022-11-22 11:51:53 +01:00 · 2022-11-22 11:51:53 +01:00 · 52ddd99940
commit 52ddd99940
parent d06b9c8b99
7 changed files with 154 additions and 152 deletions
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@ -186,7 +186,7 @@ struct bind_conf {
 	char *ca_sign_file;        /* CAFile used to generate and sign server certificates */
 	char *ca_sign_pass;        /* CAKey passphrase */
-	struct cert_key_and_chain * ca_sign_ckch;	/* CA and possible certificate chain for ca generation */
+	struct ckch_data *ca_sign_ckch;	/* CA and possible certificate chain for ca generation */
 #endif
 #ifdef USE_QUIC
 	struct quic_transport_params quic_params; /* QUIC transport parameters. */
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@ -46,7 +46,7 @@
 * This structure is the base one, in the case of a multi-cert bundle, we
 *  allocate 1 structure per type.
 */
-struct cert_key_and_chain {
+struct ckch_data {
 	X509 *cert;
 	EVP_PKEY *key;
 	STACK_OF(X509) *chain;
@ -60,11 +60,13 @@ struct cert_key_and_chain {
 * this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and
 * metadata.
 *
 * "ckch" for cert, key and chain.
 *
 * XXX: Once we remove the multi-cert bundle support, we could merge this structure
 * with the cert_key_and_chain one.
 */
 struct ckch_store {
-	struct cert_key_and_chain *ckch;
+	struct ckch_data *data;
 	struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
 	struct list crtlist_entry; /* list of entries which use this store */
 	struct ebmb_node node;
@ -150,7 +152,7 @@ enum {
 struct cert_exts {
 	const char *ext;
 	int type;
-	int (*load)(const char *path, char *payload, struct cert_key_and_chain *ckch, char **err);
+	int (*load)(const char *path, char *payload, struct ckch_data *data, char **err);
 	/* add a parsing callback */
 };
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@ -27,14 +27,14 @@
 /* cert_key_and_chain functions */
-int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err);
+int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err);
-int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err);
+int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *datackch , char **err);
-void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch);
+void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data);
-int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err);
+int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err);
-int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err);
+int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err);
-int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err);
+int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err);
-int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err);
+int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err);
 /* ckch_store functions */
 struct ckch_store *ckchs_load_cert_file(char *path, char **err);
--- a/src/hlua.c
+++ b/src/hlua.c
@ -11609,7 +11609,7 @@ __LJMP static int hlua_ckch_set(lua_State *L)
 	char *err = NULL;
 	struct cert_exts *cert_ext = NULL;
 	char *filename;
-	struct cert_key_and_chain *ckch;
+	struct ckch_data *data;
 	int ret;
 	if (lua_type(L, -1) != LUA_TTABLE)
@ -11646,7 +11646,7 @@ __LJMP static int hlua_ckch_set(lua_State *L)
 		goto end;
 	}
-	ckch = new_ckchs->ckch;
+	data = new_ckchs->data;
 	/* loop on the field in the table, which have the same name as the
 	 * possible extensions of files */
@ -11676,7 +11676,7 @@ __LJMP static int hlua_ckch_set(lua_State *L)
 		}
 		/* appply the change on the duplicate */
-		if (cert_ext->load(filename, payload, ckch, &err) != 0) {
+		if (cert_ext->load(filename, payload, data, &err) != 0) {
 			memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext);
 			errcode |= ERR_ALERT | ERR_FATAL;
 			goto end;
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -165,7 +165,7 @@ out:
 /* Try to load a sctl from a buffer <buf> if not NULL, or read the file <sctl_path>
 * It fills the ckch->sctl buffer
 * return 0 on success or != 0 on failure */
-int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err)
 {
 	int fd = -1;
 	int r = 0;
@ -208,11 +208,11 @@ int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_k
 		goto end;
 	}
 	/* no error, fill ckch with new context, old context must be free */
-	if (ckch->sctl) {
+	if (data->sctl) {
-		ha_free(&ckch->sctl->area);
+		ha_free(&data->sctl->area);
-		free(ckch->sctl);
+		free(data->sctl);
 	}
-	ckch->sctl = sctl;
+	data->sctl = sctl;
 	ret = 0;
 end:
 	if (fd != -1)
@ -228,7 +228,7 @@ end:
 *
 * Returns 0 on success, 1 in error case.
 */
-int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err)
 {
 	int fd = -1;
 	int r = 0;
@ -287,12 +287,12 @@ int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, stru
 		ha_free(&ocsp_response);
 		goto end;
 	}
-	/* no error, fill ckch with new context, old context must be free */
+	/* no error, fill data with new context, old context must be free */
-	if (ckch->ocsp_response) {
+	if (data->ocsp_response) {
-		ha_free(&ckch->ocsp_response->area);
+		ha_free(&data->ocsp_response->area);
-		free(ckch->ocsp_response);
+		free(data->ocsp_response);
 	}
-	ckch->ocsp_response = ocsp_response;
+	data->ocsp_response = ocsp_response;
 	ret = 0;
 end:
 	if (fd != -1)
@ -317,14 +317,14 @@ end:
 *      0 on Success
 *      1 on SSL Failure
 */
-int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err)
 {
 	struct buffer *fp = NULL;
 	int ret = 1;
 	struct stat st;
 	/* try to load the PEM */
-	if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
+	if (ssl_sock_load_pem_into_ckch(path, NULL, data , err) != 0) {
 		goto end;
 	}
@ -356,7 +356,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 	}
-	if (ckch->key == NULL) {
+	if (data->key == NULL) {
 		/* If no private key was found yet and we cannot look for it in extra
 		 * files, raise an error.
 		 */
@ -374,14 +374,14 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 		}
 		if (stat(fp->area, &st) == 0) {
-			if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
+			if (ssl_sock_load_key_into_ckch(fp->area, NULL, data, err)) {
 				memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
 					  err && *err ? *err : "", fp->area);
 				goto end;
 			}
 		}
-		if (ckch->key == NULL) {
+		if (data->key == NULL) {
 			memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
 			goto end;
 		}
@ -391,7 +391,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 	}
-	if (!X509_check_private_key(ckch->cert, ckch->key)) {
+	if (!X509_check_private_key(data->cert, data->key)) {
 		memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
 		          err && *err ? *err : "", path);
 		goto end;
@ -410,7 +410,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 		}
 		if (stat(fp->area, &st) == 0) {
-			if (ssl_sock_load_sctl_from_file(fp->area, NULL, ckch, err)) {
+			if (ssl_sock_load_sctl_from_file(fp->area, NULL, data, err)) {
 				memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
 					  err && *err ? *err : "", fp->area);
 				ret = 1;
@ -435,7 +435,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 		}
 		if (stat(fp->area, &st) == 0) {
-			if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, ckch, err)) {
+			if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, data, err)) {
 				ret = 1;
 				goto end;
 			}
@ -446,9 +446,9 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 	}
 #ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
-	if (ckch->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
+	if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
 		/* if no issuer was found, try to load an issuer from the .issuer */
-		if (!ckch->ocsp_issuer) {
+		if (!data->ocsp_issuer) {
 			struct stat st;
 			if (!chunk_strcat(fp, ".issuer") || b_data(fp) > MAXPATHLEN) {
@ -459,12 +459,12 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
 			}
 			if (stat(fp->area, &st) == 0) {
-				if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, ckch, err)) {
+				if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, data, err)) {
 					ret = 1;
 					goto end;
 				}
-				if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) {
+				if (X509_check_issued(data->ocsp_issuer, data->cert) != X509_V_OK) {
 					memprintf(err, "%s '%s' is not an issuer'.\n",
 						  err && *err ? *err : "", fp->area);
 					ret = 1;
@ -486,7 +486,7 @@ end:
 	/* Something went wrong in one of the reads */
 	if (ret != 0)
-		ssl_sock_free_cert_key_and_chain_contents(ckch);
+		ssl_sock_free_cert_key_and_chain_contents(data);
 	free_trash_chunk(fp);
@ -500,7 +500,7 @@ end:
 *
 *  Return 0 on success or != 0 on failure
 */
-int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
+int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err)
 {
 	BIO *in = NULL;
 	int ret = 1;
@ -534,7 +534,7 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and
 	ret = 0;
-	SWAP(ckch->key, key);
+	SWAP(data->key, key);
 end:
@ -556,7 +556,7 @@ end:
 *
 *  Return 0 on success or != 0 on failure
 */
-int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
+int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err)
 {
 	BIO *in = NULL;
 	int ret = 1;
@ -639,27 +639,27 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
 		goto end;
 	}
-	/* once it loaded the PEM, it should remove everything else in the ckch */
+	/* once it loaded the PEM, it should remove everything else in the data */
-	if (ckch->ocsp_response) {
+	if (data->ocsp_response) {
-		ha_free(&ckch->ocsp_response->area);
+		ha_free(&data->ocsp_response->area);
-		ha_free(&ckch->ocsp_response);
+		ha_free(&data->ocsp_response);
 	}
-	if (ckch->sctl) {
+	if (data->sctl) {
-		ha_free(&ckch->sctl->area);
+		ha_free(&data->sctl->area);
-		ha_free(&ckch->sctl);
+		ha_free(&data->sctl);
 	}
-	if (ckch->ocsp_issuer) {
+	if (data->ocsp_issuer) {
-		X509_free(ckch->ocsp_issuer);
+		X509_free(data->ocsp_issuer);
-		ckch->ocsp_issuer = NULL;
+		data->ocsp_issuer = NULL;
 	}
-	/* no error, fill ckch with new context, old context will be free at end: */
+	/* no error, fill data with new context, old context will be free at end: */
-	SWAP(ckch->key, key);
+	SWAP(data->key, key);
-	SWAP(ckch->dh, dh);
+	SWAP(data->dh, dh);
-	SWAP(ckch->cert, cert);
+	SWAP(data->cert, cert);
-	SWAP(ckch->chain, chain);
+	SWAP(data->chain, chain);
 	ret = 0;
@ -682,43 +682,43 @@ end:
 /* Frees the contents of a cert_key_and_chain
 */
-void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
+void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
 {
-	if (!ckch)
+	if (!data)
 		return;
 	/* Free the certificate and set pointer to NULL */
-	if (ckch->cert)
+	if (data->cert)
-		X509_free(ckch->cert);
+		X509_free(data->cert);
-	ckch->cert = NULL;
+	data->cert = NULL;
 	/* Free the key and set pointer to NULL */
-	if (ckch->key)
+	if (data->key)
-		EVP_PKEY_free(ckch->key);
+		EVP_PKEY_free(data->key);
-	ckch->key = NULL;
+	data->key = NULL;
 	/* Free each certificate in the chain */
-	if (ckch->chain)
+	if (data->chain)
-		sk_X509_pop_free(ckch->chain, X509_free);
+		sk_X509_pop_free(data->chain, X509_free);
-	ckch->chain = NULL;
+	data->chain = NULL;
-	if (ckch->dh)
+	if (data->dh)
-		HASSL_DH_free(ckch->dh);
+		HASSL_DH_free(data->dh);
-	ckch->dh = NULL;
+	data->dh = NULL;
-	if (ckch->sctl) {
+	if (data->sctl) {
-		ha_free(&ckch->sctl->area);
+		ha_free(&data->sctl->area);
-		ha_free(&ckch->sctl);
+		ha_free(&data->sctl);
 	}
-	if (ckch->ocsp_response) {
+	if (data->ocsp_response) {
-		ha_free(&ckch->ocsp_response->area);
+		ha_free(&data->ocsp_response->area);
-		ha_free(&ckch->ocsp_response);
+		ha_free(&data->ocsp_response);
 	}
-	if (ckch->ocsp_issuer)
+	if (data->ocsp_issuer)
-		X509_free(ckch->ocsp_issuer);
+		X509_free(data->ocsp_issuer);
-	ckch->ocsp_issuer = NULL;
+	data->ocsp_issuer = NULL;
 }
 /*
@ -730,8 +730,8 @@ void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
 *
 * Return a the dst or NULL
 */
-struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_chain *src,
+struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
-                                                                   struct cert_key_and_chain *dst)
+                                                                   struct ckch_data *dst)
 {
 	if (!src || !dst)
 		return NULL;
@ -801,7 +801,7 @@ error:
 /*
 * return 0 on success or != 0 on failure
 */
-int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err)
 {
 	int ret = 1;
 	BIO *in = NULL;
@ -831,10 +831,10 @@ int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert
 		          err && *err ? *err : "", path);
 		goto end;
 	}
-	/* no error, fill ckch with new context, old context must be free */
+	/* no error, fill data with new context, old context must be free */
-	if (ckch->ocsp_issuer)
+	if (data->ocsp_issuer)
-		X509_free(ckch->ocsp_issuer);
+		X509_free(data->ocsp_issuer);
-	ckch->ocsp_issuer = issuer;
+	data->ocsp_issuer = issuer;
 	ret = 0;
 end:
@ -861,9 +861,9 @@ void ckch_store_free(struct ckch_store *store)
 	if (!store)
 		return;
-	ssl_sock_free_cert_key_and_chain_contents(store->ckch);
+	ssl_sock_free_cert_key_and_chain_contents(store->data);
-	ha_free(&store->ckch);
+	ha_free(&store->data);
 	list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) {
 		ckch_inst_free(inst);
@ -894,8 +894,8 @@ struct ckch_store *ckch_store_new(const char *filename)
 	LIST_INIT(&store->ckch_inst);
 	LIST_INIT(&store->crtlist_entry);
-	store->ckch = calloc(1, sizeof(*store->ckch));
+	store->data = calloc(1, sizeof(*store->data));
-	if (!store->ckch)
+	if (!store->data)
 		goto error;
 	return store;
@ -917,7 +917,7 @@ struct ckch_store *ckchs_dup(const struct ckch_store *src)
 	if (!dst)
 		return NULL;
-	if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
+	if (!ssl_sock_copy_cert_key_and_chain(src->data, dst->data))
 		goto error;
 	return dst;
@ -955,7 +955,7 @@ struct ckch_store *ckchs_load_cert_file(char *path, char **err)
 		goto end;
 	}
-	if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
+	if (ssl_sock_load_files_into_ckch(path, ckchs->data, err) == 1)
 		goto end;
 	/* insert into the ckchs tree */
@ -1773,13 +1773,13 @@ static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char
 	*key_length = 0;
-	if (!ckch_store->ckch->ocsp_response)
+	if (!ckch_store->data->ocsp_response)
 		return 0;
-	p = (unsigned char *) ckch_store->ckch->ocsp_response->area;
+	p = (unsigned char *) ckch_store->data->ocsp_response->area;
 	resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
-				 ckch_store->ckch->ocsp_response->data);
+				 ckch_store->data->ocsp_response->data);
 	if (!resp) {
 		goto end;
 	}
@ -1849,14 +1849,14 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
 	chunk_appendf(out, "%s\n", ckchs->path);
 	chunk_appendf(out, "Status: ");
-	if (ckchs->ckch->cert == NULL)
+	if (ckchs->data->cert == NULL)
 		chunk_appendf(out, "Empty\n");
 	else if (LIST_ISEMPTY(&ckchs->ckch_inst))
 		chunk_appendf(out, "Unused\n");
 	else
 		chunk_appendf(out, "Used\n");
-	retval = show_cert_detail(ckchs->ckch->cert, ckchs->ckch->chain, out);
+	retval = show_cert_detail(ckchs->data->cert, ckchs->data->chain, out);
 	if (retval < 0)
 		goto end_no_putchk;
 	else if (retval)
@ -1895,8 +1895,8 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
 	 * need to dump the ckch's ocsp_response buffer directly.
 	 * Otherwise, we must rebuild the certificate's certid in order to
 	 * look for the current OCSP response in the tree. */
-	if (from_transaction && ckchs->ckch->ocsp_response) {
+	if (from_transaction && ckchs->data->ocsp_response) {
-		if (ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out))
+		if (ssl_ocsp_response_print(ckchs->data->ocsp_response, out))
 			goto end_no_putchk;
 	}
 	else {
@ -2292,12 +2292,12 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc
 	}
 	/* if a certificate is here, a private key must be here too */
-	if (ckchs_transaction.new_ckchs->ckch->cert && !ckchs_transaction.new_ckchs->ckch->key) {
+	if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) {
 		memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
 		goto error;
 	}
-	if (!X509_check_private_key(ckchs_transaction.new_ckchs->ckch->cert, ckchs_transaction.new_ckchs->ckch->key)) {
+	if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
 		memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
 		goto error;
 	}
@ -2335,7 +2335,7 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
 	int errcode = 0;
 	char *end;
 	struct cert_exts *cert_ext = &cert_exts[0]; /* default one, PEM */
-	struct cert_key_and_chain *ckch;
+	struct ckch_data *data;
 	struct buffer *buf;
 	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
@ -2434,10 +2434,10 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
 		goto end;
 	}
-	ckch = new_ckchs->ckch;
+	data = new_ckchs->data;
 	/* appply the change on the duplicate */
-	if (cert_ext->load(buf->area, payload, ckch, &err) != 0) {
+	if (cert_ext->load(buf->area, payload, data, &err) != 0) {
 		memprintf(&err, "%sCan't load the payload\n", err ? err : "");
 		errcode |= ERR_ALERT | ERR_FATAL;
 		goto end;
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@ -1288,7 +1288,7 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
 		memprintf(&err, "certificate '%s' does not exist!", cert_path);
 		goto error;
 	}
-	if (store->ckch == NULL || store->ckch->cert == NULL) {
+	if (store->data == NULL || store->data->cert == NULL) {
 		memprintf(&err, "certificate '%s' is empty!", cert_path);
 		goto error;
 	}
@ -1383,7 +1383,7 @@ static int cli_parse_del_crtlist(char **args, char *payload, struct appctx *appc
 		memprintf(&err, "certificate '%s' does not exist!", cert_path);
 		goto error;
 	}
-	if (store->ckch == NULL || store->ckch->cert == NULL) {
+	if (store->data == NULL || store->data->cert == NULL) {
 		memprintf(&err, "certificate '%s' is empty!", cert_path);
 		goto error;
 	}
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1472,7 +1472,7 @@ static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
 * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
 * successfully enabled, or -1 in other error case.
 */
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
 {
 	X509 *x, *issuer;
 	OCSP_CERTID *cid = NULL;
@ -1487,11 +1487,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
 #endif
-	x = ckch->cert;
+	x = data->cert;
 	if (!x)
 		goto out;
-	issuer = ckch->ocsp_issuer;
+	issuer = data->ocsp_issuer;
 	/* take issuer from chain over ocsp_issuer, is what is done historicaly */
 	if (chain) {
 		/* check if one of the certificate of the chain is the issuer */
@ -1588,7 +1588,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
 	ret = 0;
 	warn = NULL;
-	if (ssl_sock_load_ocsp_response(ckch->ocsp_response, iocsp, cid, &warn)) {
+	if (ssl_sock_load_ocsp_response(data->ocsp_response, iocsp, cid, &warn)) {
 		memprintf(&warn, "Loading: %s. Content will be ignored", warn ? warn : "failure");
 		ha_warning("%s.\n", warn);
 	}
@ -1608,7 +1608,7 @@ out:
 #endif
 #ifdef OPENSSL_IS_BORINGSSL
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
 {
 	return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
 }
@ -3555,14 +3555,14 @@ struct eb_root crtlists_tree = EB_ROOT_UNIQUE;
 * the operation succeed.
 */
 #ifndef OPENSSL_NO_DH
-static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain *ckch,
+static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct ckch_data *data,
                                   const char *path, char **err)
 {
 	int ret = 0;
 	HASSL_DH *dh = NULL;
-	if (ckch && ckch->dh) {
+	if (data && data->dh) {
-		dh = ckch->dh;
+		dh = data->dh;
 		if (!ssl_sock_set_tmp_dh(ctx, dh)) {
 			memprintf(err, "%sunable to load the DH parameter specified in '%s'",
 				  err && *err ? *err : "", path);
@ -3621,7 +3621,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 #if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
 				SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
 #else
-				ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL);
+				ssl_sock_set_tmp_dh_from_pkey(ctx, data ? data->key : NULL);
 #endif
 			}
 		}
@ -3642,7 +3642,7 @@ end:
 * The value 0 means there is no error nor warning and
 * the operation succeed.
 */
-static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_chain *ckch,
+static int ssl_sock_load_cert_chain(const char *path, const struct ckch_data *data,
 				    SSL_CTX *ctx, STACK_OF(X509) **find_chain, char **err)
 {
 	int errcode = 0;
@ -3655,7 +3655,7 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_
 		goto end;
 	}
-	if (!SSL_CTX_use_certificate(ctx, ckch->cert)) {
+	if (!SSL_CTX_use_certificate(ctx, data->cert)) {
 		ret = ERR_get_error();
 		memprintf(err, "%sunable to load SSL certificate into SSL Context '%s': %s.\n",
 				err && *err ? *err : "", path, ERR_reason_error_string(ret));
@ -3663,12 +3663,12 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_
 		goto end;
 	}
-	if (ckch->chain) {
+	if (data->chain) {
-		*find_chain = ckch->chain;
+		*find_chain = data->chain;
 	} else {
 		/* Find Certificate Chain in global */
 		struct issuer_chain *issuer;
-		issuer = ssl_get0_issuer_chain(ckch->cert);
+		issuer = ssl_get0_issuer_chain(data->cert);
 		if (issuer)
 			*find_chain = issuer->chain;
 	}
@ -3679,7 +3679,7 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_
 		*find_chain = sk_X509_new_null();
 	}
-	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+	/* Load all certs in the data into the ctx_chain for the ssl_ctx */
 #ifdef SSL_CTX_set1_chain
 	if (!SSL_CTX_set1_chain(ctx, *find_chain)) {
 		ret = ERR_get_error();
@ -3730,14 +3730,14 @@ end:
 * The value 0 means there is no error nor warning and
 * the operation succeed.
 */
-static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
+static int ssl_sock_put_ckch_into_ctx(const char *path, const struct ckch_data *data, SSL_CTX *ctx, char **err)
 {
 	int errcode = 0;
 	STACK_OF(X509) *find_chain = NULL;
 	ERR_clear_error();
-	if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
+	if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) {
 		int ret;
 		ret = ERR_get_error();
@ -3748,7 +3748,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 	/* Load certificate chain */
-	errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err);
+	errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err);
 	if (errcode & ERR_CODE)
 		goto end;
@ -3759,7 +3759,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 		SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
 	}
-	errcode |= ssl_sock_load_dh_params(ctx, ckch, path, err);
+	errcode |= ssl_sock_load_dh_params(ctx, data, path, err);
 	if (errcode & ERR_CODE) {
 		memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
 		          err && *err ? *err : "", path);
@ -3768,8 +3768,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 #endif
 #ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
-	if (sctl_ex_index >= 0 && ckch->sctl) {
+	if (sctl_ex_index >= 0 && data->sctl) {
-		if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
+		if (ssl_sock_load_sctl(ctx, data->sctl) < 0) {
 			memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
 			          err && *err ? *err : "", path);
 			errcode |= ERR_ALERT | ERR_FATAL;
@ -3780,8 +3780,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
 	/* Load OCSP Info into context */
-	if (ckch->ocsp_response) {
+	if (data->ocsp_response) {
-		if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {
+		if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) {
 			memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
 			          err && *err ? *err : "", path);
 			errcode |= ERR_ALERT | ERR_FATAL;
@ -3803,21 +3803,21 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 * The value 0 means there is no error nor warning and
 * the operation succeed.
 */
-static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch,
+static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct ckch_data *data,
 					  SSL_CTX *ctx, char **err)
 {
 	int errcode = 0;
 	STACK_OF(X509) *find_chain = NULL;
 	/* Load the private key */
-	if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
+	if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) {
 		memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
 				err && *err ? *err : "", path);
 		errcode |= ERR_ALERT | ERR_FATAL;
 	}
 	/* Load certificate chain */
-	errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err);
+	errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err);
 	if (errcode & ERR_CODE)
 		goto end;
@ -3853,16 +3853,16 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 	STACK_OF(GENERAL_NAME) *names;
 #endif
-	struct cert_key_and_chain *ckch;
+	struct ckch_data *data;
 	struct ckch_inst *ckch_inst = NULL;
 	int errcode = 0;
 	*ckchi = NULL;
-	if (!ckchs || !ckchs->ckch)
+	if (!ckchs || !ckchs->data)
 		return ERR_FATAL;
-	ckch = ckchs->ckch;
+	data = ckchs->data;
 	ctx = SSL_CTX_new(SSLv23_server_method());
 	if (!ctx) {
@ -3872,7 +3872,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
 		goto error;
 	}
-	errcode |= ssl_sock_put_ckch_into_ctx(path, ckch, ctx, err);
+	errcode |= ssl_sock_put_ckch_into_ctx(path, data, ctx, err);
 	if (errcode & ERR_CODE)
 		goto error;
@ -3884,7 +3884,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
 		goto error;
 	}
-	pkey = X509_get_pubkey(ckch->cert);
+	pkey = X509_get_pubkey(data->cert);
 	if (pkey) {
 		kinfo.bits = EVP_PKEY_bits(pkey);
 		switch(EVP_PKEY_base_id(pkey)) {
@ -3913,7 +3913,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
 	}
 	else {
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-		names = X509_get_ext_d2i(ckch->cert, NID_subject_alt_name, NULL, NULL);
+		names = X509_get_ext_d2i(data->cert, NID_subject_alt_name, NULL, NULL);
 		if (names) {
 			for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
 				GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
@ -3932,7 +3932,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
 			sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
 		}
 #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
-		xname = X509_get_subject_name(ckch->cert);
+		xname = X509_get_subject_name(data->cert);
 		i = -1;
 		while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
 			X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
@ -4014,16 +4014,16 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
 				 struct ckch_inst **ckchi, char **err)
 {
 	SSL_CTX *ctx;
-	struct cert_key_and_chain *ckch;
+	struct ckch_data *data;
 	struct ckch_inst *ckch_inst = NULL;
 	int errcode = 0;
 	*ckchi = NULL;
-	if (!ckchs || !ckchs->ckch)
+	if (!ckchs || !ckchs->data)
 		return ERR_FATAL;
-	ckch = ckchs->ckch;
+	data = ckchs->data;
 	ctx = SSL_CTX_new(SSLv23_client_method());
 	if (!ctx) {
@ -4033,7 +4033,7 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
 		goto error;
 	}
-	errcode |= ssl_sock_put_srv_ckch_into_ctx(path, ckch, ctx, err);
+	errcode |= ssl_sock_put_srv_ckch_into_ctx(path, data, ctx, err);
 	if (errcode & ERR_CODE)
 		goto error;
@ -5714,7 +5714,7 @@ int
 ssl_sock_load_ca(struct bind_conf *bind_conf)
 {
 	struct proxy *px = bind_conf->frontend;
-	struct cert_key_and_chain *ckch = NULL;
+	struct ckch_data *data = NULL;
 	int ret = 0;
 	char *err = NULL;
@ -5737,15 +5737,15 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
 	}
 	/* Allocate cert structure */
-	ckch = calloc(1, sizeof(*ckch));
+	data = calloc(1, sizeof(*data));
-	if (!ckch) {
+	if (!data) {
 		ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain allocation failure\n",
 			px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
 		goto failed;
 	}
 	/* Try to parse file */
-	if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, ckch, &err)) {
+	if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, data, &err)) {
 		ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain loading failed: %s\n",
 			px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line, err);
 		free(err);
@ -5753,20 +5753,20 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
 	}
 	/* Fail if missing cert or pkey */
-	if ((!ckch->cert) || (!ckch->key)) {
+	if ((!data->cert) || (!data->key)) {
 		ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain missing certificate or private key\n",
 			px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
 		goto failed;
 	}
 	/* Final assignment to bind */
-	bind_conf->ca_sign_ckch = ckch;
+	bind_conf->ca_sign_ckch = data;
 	return ret;
 failed:
-	if (ckch) {
+	if (data) {
-		ssl_sock_free_cert_key_and_chain_contents(ckch);
+		ssl_sock_free_cert_key_and_chain_contents(data);
-		free(ckch);
+		free(data);
 	}
 	bind_conf->options &= ~BC_O_GENERATE_CERTS;