mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-04-28 05:48:01 +00:00
MEDIUM: ssl: rename the struct "cert_key_and_chain" to "ckch_data"
Rename the structure "cert_key_and_chain" to "ckch_data" in order to avoid confusion with the store whcih often called "ckchs". The "cert_key_and_chain *ckch" were renamed "ckch_data *data", so we now have store->data instead of ckchs->ckch. Marked medium because it changes the API.
This commit is contained in:
William Lallemand
parent
d06b9c8b99
commit
52ddd99940
@ -186,7 +186,7 @@ struct bind_conf {
|
||||
char *ca_sign_file; /* CAFile used to generate and sign server certificates */
|
||||
char *ca_sign_pass; /* CAKey passphrase */
|
||||
|
||||
struct cert_key_and_chain * ca_sign_ckch; /* CA and possible certificate chain for ca generation */
|
||||
struct ckch_data *ca_sign_ckch; /* CA and possible certificate chain for ca generation */
|
||||
#endif
|
||||
#ifdef USE_QUIC
|
||||
struct quic_transport_params quic_params; /* QUIC transport parameters. */
|
||||
|
||||
@ -46,7 +46,7 @@
|
||||
* This structure is the base one, in the case of a multi-cert bundle, we
|
||||
* allocate 1 structure per type.
|
||||
*/
|
||||
struct cert_key_and_chain {
|
||||
struct ckch_data {
|
||||
X509 *cert;
|
||||
EVP_PKEY *key;
|
||||
STACK_OF(X509) *chain;
|
||||
@ -60,11 +60,13 @@ struct cert_key_and_chain {
|
||||
* this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and
|
||||
* metadata.
|
||||
*
|
||||
* "ckch" for cert, key and chain.
|
||||
*
|
||||
* XXX: Once we remove the multi-cert bundle support, we could merge this structure
|
||||
* with the cert_key_and_chain one.
|
||||
*/
|
||||
struct ckch_store {
|
||||
struct cert_key_and_chain *ckch;
|
||||
struct ckch_data *data;
|
||||
struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
|
||||
struct list crtlist_entry; /* list of entries which use this store */
|
||||
struct ebmb_node node;
|
||||
@ -150,7 +152,7 @@ enum {
|
||||
struct cert_exts {
|
||||
const char *ext;
|
||||
int type;
|
||||
int (*load)(const char *path, char *payload, struct cert_key_and_chain *ckch, char **err);
|
||||
int (*load)(const char *path, char *payload, struct ckch_data *data, char **err);
|
||||
/* add a parsing callback */
|
||||
};
|
||||
|
||||
|
||||
@ -27,14 +27,14 @@
|
||||
|
||||
/* cert_key_and_chain functions */
|
||||
|
||||
int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err);
|
||||
int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err);
|
||||
void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch);
|
||||
int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err);
|
||||
int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *datackch , char **err);
|
||||
void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data);
|
||||
|
||||
int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err);
|
||||
int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err);
|
||||
int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err);
|
||||
int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err);
|
||||
int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err);
|
||||
int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err);
|
||||
int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err);
|
||||
int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err);
|
||||
|
||||
/* ckch_store functions */
|
||||
struct ckch_store *ckchs_load_cert_file(char *path, char **err);
|
||||
|
||||
@ -11609,7 +11609,7 @@ __LJMP static int hlua_ckch_set(lua_State *L)
|
||||
char *err = NULL;
|
||||
struct cert_exts *cert_ext = NULL;
|
||||
char *filename;
|
||||
struct cert_key_and_chain *ckch;
|
||||
struct ckch_data *data;
|
||||
int ret;
|
||||
|
||||
if (lua_type(L, -1) != LUA_TTABLE)
|
||||
@ -11646,7 +11646,7 @@ __LJMP static int hlua_ckch_set(lua_State *L)
|
||||
goto end;
|
||||
}
|
||||
|
||||
ckch = new_ckchs->ckch;
|
||||
data = new_ckchs->data;
|
||||
|
||||
/* loop on the field in the table, which have the same name as the
|
||||
* possible extensions of files */
|
||||
@ -11676,7 +11676,7 @@ __LJMP static int hlua_ckch_set(lua_State *L)
|
||||
}
|
||||
|
||||
/* appply the change on the duplicate */
|
||||
if (cert_ext->load(filename, payload, ckch, &err) != 0) {
|
||||
if (cert_ext->load(filename, payload, data, &err) != 0) {
|
||||
memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext);
|
||||
errcode |= ERR_ALERT | ERR_FATAL;
|
||||
goto end;
|
||||
|
||||
180
src/ssl_ckch.c
180
src/ssl_ckch.c
@ -165,7 +165,7 @@ out:
|
||||
/* Try to load a sctl from a buffer <buf> if not NULL, or read the file <sctl_path>
|
||||
* It fills the ckch->sctl buffer
|
||||
* return 0 on success or != 0 on failure */
|
||||
int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err)
|
||||
int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err)
|
||||
{
|
||||
int fd = -1;
|
||||
int r = 0;
|
||||
@ -208,11 +208,11 @@ int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_k
|
||||
goto end;
|
||||
}
|
||||
/* no error, fill ckch with new context, old context must be free */
|
||||
if (ckch->sctl) {
|
||||
ha_free(&ckch->sctl->area);
|
||||
free(ckch->sctl);
|
||||
if (data->sctl) {
|
||||
ha_free(&data->sctl->area);
|
||||
free(data->sctl);
|
||||
}
|
||||
ckch->sctl = sctl;
|
||||
data->sctl = sctl;
|
||||
ret = 0;
|
||||
end:
|
||||
if (fd != -1)
|
||||
@ -228,7 +228,7 @@ end:
|
||||
*
|
||||
* Returns 0 on success, 1 in error case.
|
||||
*/
|
||||
int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err)
|
||||
int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err)
|
||||
{
|
||||
int fd = -1;
|
||||
int r = 0;
|
||||
@ -287,12 +287,12 @@ int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, stru
|
||||
ha_free(&ocsp_response);
|
||||
goto end;
|
||||
}
|
||||
/* no error, fill ckch with new context, old context must be free */
|
||||
if (ckch->ocsp_response) {
|
||||
ha_free(&ckch->ocsp_response->area);
|
||||
free(ckch->ocsp_response);
|
||||
/* no error, fill data with new context, old context must be free */
|
||||
if (data->ocsp_response) {
|
||||
ha_free(&data->ocsp_response->area);
|
||||
free(data->ocsp_response);
|
||||
}
|
||||
ckch->ocsp_response = ocsp_response;
|
||||
data->ocsp_response = ocsp_response;
|
||||
ret = 0;
|
||||
end:
|
||||
if (fd != -1)
|
||||
@ -317,14 +317,14 @@ end:
|
||||
* 0 on Success
|
||||
* 1 on SSL Failure
|
||||
*/
|
||||
int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err)
|
||||
int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err)
|
||||
{
|
||||
struct buffer *fp = NULL;
|
||||
int ret = 1;
|
||||
struct stat st;
|
||||
|
||||
/* try to load the PEM */
|
||||
if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
|
||||
if (ssl_sock_load_pem_into_ckch(path, NULL, data , err) != 0) {
|
||||
goto end;
|
||||
}
|
||||
|
||||
@ -356,7 +356,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
||||
|
||||
}
|
||||
|
||||
if (ckch->key == NULL) {
|
||||
if (data->key == NULL) {
|
||||
/* If no private key was found yet and we cannot look for it in extra
|
||||
* files, raise an error.
|
||||
*/
|
||||
@ -374,14 +374,14 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
||||
}
|
||||
|
||||
if (stat(fp->area, &st) == 0) {
|
||||
if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
|
||||
if (ssl_sock_load_key_into_ckch(fp->area, NULL, data, err)) {
|
||||
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
|
||||
err && *err ? *err : "", fp->area);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (ckch->key == NULL) {
|
||||
if (data->key == NULL) {
|
||||
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
|
||||
goto end;
|
||||
}
|
||||
@ -391,7 +391,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
||||
}
|
||||
|
||||
|
||||
if (!X509_check_private_key(ckch->cert, ckch->key)) {
|
||||
if (!X509_check_private_key(data->cert, data->key)) {
|
||||
memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
goto end;
|
||||
@ -410,7 +410,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
||||
}
|
||||
|
||||
if (stat(fp->area, &st) == 0) {
|
||||
if (ssl_sock_load_sctl_from_file(fp->area, NULL, ckch, err)) {
|
||||
if (ssl_sock_load_sctl_from_file(fp->area, NULL, data, err)) {
|
||||
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
|
||||
err && *err ? *err : "", fp->area);
|
||||
ret = 1;
|
||||
@ -435,7 +435,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
||||
}
|
||||
|
||||
if (stat(fp->area, &st) == 0) {
|
||||
if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, ckch, err)) {
|
||||
if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, data, err)) {
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
@ -446,9 +446,9 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
|
||||
if (ckch->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
|
||||
if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
|
||||
/* if no issuer was found, try to load an issuer from the .issuer */
|
||||
if (!ckch->ocsp_issuer) {
|
||||
if (!data->ocsp_issuer) {
|
||||
struct stat st;
|
||||
|
||||
if (!chunk_strcat(fp, ".issuer") || b_data(fp) > MAXPATHLEN) {
|
||||
@ -459,12 +459,12 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
|
||||
}
|
||||
|
||||
if (stat(fp->area, &st) == 0) {
|
||||
if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, ckch, err)) {
|
||||
if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, data, err)) {
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) {
|
||||
if (X509_check_issued(data->ocsp_issuer, data->cert) != X509_V_OK) {
|
||||
memprintf(err, "%s '%s' is not an issuer'.\n",
|
||||
err && *err ? *err : "", fp->area);
|
||||
ret = 1;
|
||||
@ -486,7 +486,7 @@ end:
|
||||
|
||||
/* Something went wrong in one of the reads */
|
||||
if (ret != 0)
|
||||
ssl_sock_free_cert_key_and_chain_contents(ckch);
|
||||
ssl_sock_free_cert_key_and_chain_contents(data);
|
||||
|
||||
free_trash_chunk(fp);
|
||||
|
||||
@ -500,7 +500,7 @@ end:
|
||||
*
|
||||
* Return 0 on success or != 0 on failure
|
||||
*/
|
||||
int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
|
||||
int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err)
|
||||
{
|
||||
BIO *in = NULL;
|
||||
int ret = 1;
|
||||
@ -534,7 +534,7 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and
|
||||
|
||||
ret = 0;
|
||||
|
||||
SWAP(ckch->key, key);
|
||||
SWAP(data->key, key);
|
||||
|
||||
end:
|
||||
|
||||
@ -556,7 +556,7 @@ end:
|
||||
*
|
||||
* Return 0 on success or != 0 on failure
|
||||
*/
|
||||
int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
|
||||
int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err)
|
||||
{
|
||||
BIO *in = NULL;
|
||||
int ret = 1;
|
||||
@ -639,27 +639,27 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* once it loaded the PEM, it should remove everything else in the ckch */
|
||||
if (ckch->ocsp_response) {
|
||||
ha_free(&ckch->ocsp_response->area);
|
||||
ha_free(&ckch->ocsp_response);
|
||||
/* once it loaded the PEM, it should remove everything else in the data */
|
||||
if (data->ocsp_response) {
|
||||
ha_free(&data->ocsp_response->area);
|
||||
ha_free(&data->ocsp_response);
|
||||
}
|
||||
|
||||
if (ckch->sctl) {
|
||||
ha_free(&ckch->sctl->area);
|
||||
ha_free(&ckch->sctl);
|
||||
if (data->sctl) {
|
||||
ha_free(&data->sctl->area);
|
||||
ha_free(&data->sctl);
|
||||
}
|
||||
|
||||
if (ckch->ocsp_issuer) {
|
||||
X509_free(ckch->ocsp_issuer);
|
||||
ckch->ocsp_issuer = NULL;
|
||||
if (data->ocsp_issuer) {
|
||||
X509_free(data->ocsp_issuer);
|
||||
data->ocsp_issuer = NULL;
|
||||
}
|
||||
|
||||
/* no error, fill ckch with new context, old context will be free at end: */
|
||||
SWAP(ckch->key, key);
|
||||
SWAP(ckch->dh, dh);
|
||||
SWAP(ckch->cert, cert);
|
||||
SWAP(ckch->chain, chain);
|
||||
/* no error, fill data with new context, old context will be free at end: */
|
||||
SWAP(data->key, key);
|
||||
SWAP(data->dh, dh);
|
||||
SWAP(data->cert, cert);
|
||||
SWAP(data->chain, chain);
|
||||
|
||||
ret = 0;
|
||||
|
||||
@ -682,43 +682,43 @@ end:
|
||||
|
||||
/* Frees the contents of a cert_key_and_chain
|
||||
*/
|
||||
void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
|
||||
void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
|
||||
{
|
||||
if (!ckch)
|
||||
if (!data)
|
||||
return;
|
||||
|
||||
/* Free the certificate and set pointer to NULL */
|
||||
if (ckch->cert)
|
||||
X509_free(ckch->cert);
|
||||
ckch->cert = NULL;
|
||||
if (data->cert)
|
||||
X509_free(data->cert);
|
||||
data->cert = NULL;
|
||||
|
||||
/* Free the key and set pointer to NULL */
|
||||
if (ckch->key)
|
||||
EVP_PKEY_free(ckch->key);
|
||||
ckch->key = NULL;
|
||||
if (data->key)
|
||||
EVP_PKEY_free(data->key);
|
||||
data->key = NULL;
|
||||
|
||||
/* Free each certificate in the chain */
|
||||
if (ckch->chain)
|
||||
sk_X509_pop_free(ckch->chain, X509_free);
|
||||
ckch->chain = NULL;
|
||||
if (data->chain)
|
||||
sk_X509_pop_free(data->chain, X509_free);
|
||||
data->chain = NULL;
|
||||
|
||||
if (ckch->dh)
|
||||
HASSL_DH_free(ckch->dh);
|
||||
ckch->dh = NULL;
|
||||
if (data->dh)
|
||||
HASSL_DH_free(data->dh);
|
||||
data->dh = NULL;
|
||||
|
||||
if (ckch->sctl) {
|
||||
ha_free(&ckch->sctl->area);
|
||||
ha_free(&ckch->sctl);
|
||||
if (data->sctl) {
|
||||
ha_free(&data->sctl->area);
|
||||
ha_free(&data->sctl);
|
||||
}
|
||||
|
||||
if (ckch->ocsp_response) {
|
||||
ha_free(&ckch->ocsp_response->area);
|
||||
ha_free(&ckch->ocsp_response);
|
||||
if (data->ocsp_response) {
|
||||
ha_free(&data->ocsp_response->area);
|
||||
ha_free(&data->ocsp_response);
|
||||
}
|
||||
|
||||
if (ckch->ocsp_issuer)
|
||||
X509_free(ckch->ocsp_issuer);
|
||||
ckch->ocsp_issuer = NULL;
|
||||
if (data->ocsp_issuer)
|
||||
X509_free(data->ocsp_issuer);
|
||||
data->ocsp_issuer = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -730,8 +730,8 @@ void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
|
||||
*
|
||||
* Return a the dst or NULL
|
||||
*/
|
||||
struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_chain *src,
|
||||
struct cert_key_and_chain *dst)
|
||||
struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
|
||||
struct ckch_data *dst)
|
||||
{
|
||||
if (!src || !dst)
|
||||
return NULL;
|
||||
@ -801,7 +801,7 @@ error:
|
||||
/*
|
||||
* return 0 on success or != 0 on failure
|
||||
*/
|
||||
int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err)
|
||||
int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err)
|
||||
{
|
||||
int ret = 1;
|
||||
BIO *in = NULL;
|
||||
@ -831,10 +831,10 @@ int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert
|
||||
err && *err ? *err : "", path);
|
||||
goto end;
|
||||
}
|
||||
/* no error, fill ckch with new context, old context must be free */
|
||||
if (ckch->ocsp_issuer)
|
||||
X509_free(ckch->ocsp_issuer);
|
||||
ckch->ocsp_issuer = issuer;
|
||||
/* no error, fill data with new context, old context must be free */
|
||||
if (data->ocsp_issuer)
|
||||
X509_free(data->ocsp_issuer);
|
||||
data->ocsp_issuer = issuer;
|
||||
ret = 0;
|
||||
|
||||
end:
|
||||
@ -861,9 +861,9 @@ void ckch_store_free(struct ckch_store *store)
|
||||
if (!store)
|
||||
return;
|
||||
|
||||
ssl_sock_free_cert_key_and_chain_contents(store->ckch);
|
||||
ssl_sock_free_cert_key_and_chain_contents(store->data);
|
||||
|
||||
ha_free(&store->ckch);
|
||||
ha_free(&store->data);
|
||||
|
||||
list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) {
|
||||
ckch_inst_free(inst);
|
||||
@ -894,8 +894,8 @@ struct ckch_store *ckch_store_new(const char *filename)
|
||||
LIST_INIT(&store->ckch_inst);
|
||||
LIST_INIT(&store->crtlist_entry);
|
||||
|
||||
store->ckch = calloc(1, sizeof(*store->ckch));
|
||||
if (!store->ckch)
|
||||
store->data = calloc(1, sizeof(*store->data));
|
||||
if (!store->data)
|
||||
goto error;
|
||||
|
||||
return store;
|
||||
@ -917,7 +917,7 @@ struct ckch_store *ckchs_dup(const struct ckch_store *src)
|
||||
if (!dst)
|
||||
return NULL;
|
||||
|
||||
if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
|
||||
if (!ssl_sock_copy_cert_key_and_chain(src->data, dst->data))
|
||||
goto error;
|
||||
|
||||
return dst;
|
||||
@ -955,7 +955,7 @@ struct ckch_store *ckchs_load_cert_file(char *path, char **err)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
|
||||
if (ssl_sock_load_files_into_ckch(path, ckchs->data, err) == 1)
|
||||
goto end;
|
||||
|
||||
/* insert into the ckchs tree */
|
||||
@ -1773,13 +1773,13 @@ static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char
|
||||
|
||||
*key_length = 0;
|
||||
|
||||
if (!ckch_store->ckch->ocsp_response)
|
||||
if (!ckch_store->data->ocsp_response)
|
||||
return 0;
|
||||
|
||||
p = (unsigned char *) ckch_store->ckch->ocsp_response->area;
|
||||
p = (unsigned char *) ckch_store->data->ocsp_response->area;
|
||||
|
||||
resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
|
||||
ckch_store->ckch->ocsp_response->data);
|
||||
ckch_store->data->ocsp_response->data);
|
||||
if (!resp) {
|
||||
goto end;
|
||||
}
|
||||
@ -1849,14 +1849,14 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
|
||||
chunk_appendf(out, "%s\n", ckchs->path);
|
||||
|
||||
chunk_appendf(out, "Status: ");
|
||||
if (ckchs->ckch->cert == NULL)
|
||||
if (ckchs->data->cert == NULL)
|
||||
chunk_appendf(out, "Empty\n");
|
||||
else if (LIST_ISEMPTY(&ckchs->ckch_inst))
|
||||
chunk_appendf(out, "Unused\n");
|
||||
else
|
||||
chunk_appendf(out, "Used\n");
|
||||
|
||||
retval = show_cert_detail(ckchs->ckch->cert, ckchs->ckch->chain, out);
|
||||
retval = show_cert_detail(ckchs->data->cert, ckchs->data->chain, out);
|
||||
if (retval < 0)
|
||||
goto end_no_putchk;
|
||||
else if (retval)
|
||||
@ -1895,8 +1895,8 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
|
||||
* need to dump the ckch's ocsp_response buffer directly.
|
||||
* Otherwise, we must rebuild the certificate's certid in order to
|
||||
* look for the current OCSP response in the tree. */
|
||||
if (from_transaction && ckchs->ckch->ocsp_response) {
|
||||
if (ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out))
|
||||
if (from_transaction && ckchs->data->ocsp_response) {
|
||||
if (ssl_ocsp_response_print(ckchs->data->ocsp_response, out))
|
||||
goto end_no_putchk;
|
||||
}
|
||||
else {
|
||||
@ -2292,12 +2292,12 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc
|
||||
}
|
||||
|
||||
/* if a certificate is here, a private key must be here too */
|
||||
if (ckchs_transaction.new_ckchs->ckch->cert && !ckchs_transaction.new_ckchs->ckch->key) {
|
||||
if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) {
|
||||
memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (!X509_check_private_key(ckchs_transaction.new_ckchs->ckch->cert, ckchs_transaction.new_ckchs->ckch->key)) {
|
||||
if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
|
||||
memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
|
||||
goto error;
|
||||
}
|
||||
@ -2335,7 +2335,7 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
|
||||
int errcode = 0;
|
||||
char *end;
|
||||
struct cert_exts *cert_ext = &cert_exts[0]; /* default one, PEM */
|
||||
struct cert_key_and_chain *ckch;
|
||||
struct ckch_data *data;
|
||||
struct buffer *buf;
|
||||
|
||||
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
|
||||
@ -2434,10 +2434,10 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
|
||||
goto end;
|
||||
}
|
||||
|
||||
ckch = new_ckchs->ckch;
|
||||
data = new_ckchs->data;
|
||||
|
||||
/* appply the change on the duplicate */
|
||||
if (cert_ext->load(buf->area, payload, ckch, &err) != 0) {
|
||||
if (cert_ext->load(buf->area, payload, data, &err) != 0) {
|
||||
memprintf(&err, "%sCan't load the payload\n", err ? err : "");
|
||||
errcode |= ERR_ALERT | ERR_FATAL;
|
||||
goto end;
|
||||
|
||||
@ -1288,7 +1288,7 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
|
||||
memprintf(&err, "certificate '%s' does not exist!", cert_path);
|
||||
goto error;
|
||||
}
|
||||
if (store->ckch == NULL || store->ckch->cert == NULL) {
|
||||
if (store->data == NULL || store->data->cert == NULL) {
|
||||
memprintf(&err, "certificate '%s' is empty!", cert_path);
|
||||
goto error;
|
||||
}
|
||||
@ -1383,7 +1383,7 @@ static int cli_parse_del_crtlist(char **args, char *payload, struct appctx *appc
|
||||
memprintf(&err, "certificate '%s' does not exist!", cert_path);
|
||||
goto error;
|
||||
}
|
||||
if (store->ckch == NULL || store->ckch->cert == NULL) {
|
||||
if (store->data == NULL || store->data->cert == NULL) {
|
||||
memprintf(&err, "certificate '%s' is empty!", cert_path);
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -1472,7 +1472,7 @@ static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
|
||||
* Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
|
||||
* successfully enabled, or -1 in other error case.
|
||||
*/
|
||||
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
|
||||
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
|
||||
{
|
||||
X509 *x, *issuer;
|
||||
OCSP_CERTID *cid = NULL;
|
||||
@ -1487,11 +1487,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
|
||||
#endif
|
||||
|
||||
|
||||
x = ckch->cert;
|
||||
x = data->cert;
|
||||
if (!x)
|
||||
goto out;
|
||||
|
||||
issuer = ckch->ocsp_issuer;
|
||||
issuer = data->ocsp_issuer;
|
||||
/* take issuer from chain over ocsp_issuer, is what is done historicaly */
|
||||
if (chain) {
|
||||
/* check if one of the certificate of the chain is the issuer */
|
||||
@ -1588,7 +1588,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
|
||||
ret = 0;
|
||||
|
||||
warn = NULL;
|
||||
if (ssl_sock_load_ocsp_response(ckch->ocsp_response, iocsp, cid, &warn)) {
|
||||
if (ssl_sock_load_ocsp_response(data->ocsp_response, iocsp, cid, &warn)) {
|
||||
memprintf(&warn, "Loading: %s. Content will be ignored", warn ? warn : "failure");
|
||||
ha_warning("%s.\n", warn);
|
||||
}
|
||||
@ -1608,7 +1608,7 @@ out:
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
|
||||
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
|
||||
{
|
||||
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
|
||||
}
|
||||
@ -3555,14 +3555,14 @@ struct eb_root crtlists_tree = EB_ROOT_UNIQUE;
|
||||
* the operation succeed.
|
||||
*/
|
||||
#ifndef OPENSSL_NO_DH
|
||||
static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain *ckch,
|
||||
static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct ckch_data *data,
|
||||
const char *path, char **err)
|
||||
{
|
||||
int ret = 0;
|
||||
HASSL_DH *dh = NULL;
|
||||
|
||||
if (ckch && ckch->dh) {
|
||||
dh = ckch->dh;
|
||||
if (data && data->dh) {
|
||||
dh = data->dh;
|
||||
if (!ssl_sock_set_tmp_dh(ctx, dh)) {
|
||||
memprintf(err, "%sunable to load the DH parameter specified in '%s'",
|
||||
err && *err ? *err : "", path);
|
||||
@ -3621,7 +3621,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
|
||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
|
||||
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
|
||||
#else
|
||||
ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL);
|
||||
ssl_sock_set_tmp_dh_from_pkey(ctx, data ? data->key : NULL);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
@ -3642,7 +3642,7 @@ end:
|
||||
* The value 0 means there is no error nor warning and
|
||||
* the operation succeed.
|
||||
*/
|
||||
static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_chain *ckch,
|
||||
static int ssl_sock_load_cert_chain(const char *path, const struct ckch_data *data,
|
||||
SSL_CTX *ctx, STACK_OF(X509) **find_chain, char **err)
|
||||
{
|
||||
int errcode = 0;
|
||||
@ -3655,7 +3655,7 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_use_certificate(ctx, ckch->cert)) {
|
||||
if (!SSL_CTX_use_certificate(ctx, data->cert)) {
|
||||
ret = ERR_get_error();
|
||||
memprintf(err, "%sunable to load SSL certificate into SSL Context '%s': %s.\n",
|
||||
err && *err ? *err : "", path, ERR_reason_error_string(ret));
|
||||
@ -3663,12 +3663,12 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (ckch->chain) {
|
||||
*find_chain = ckch->chain;
|
||||
if (data->chain) {
|
||||
*find_chain = data->chain;
|
||||
} else {
|
||||
/* Find Certificate Chain in global */
|
||||
struct issuer_chain *issuer;
|
||||
issuer = ssl_get0_issuer_chain(ckch->cert);
|
||||
issuer = ssl_get0_issuer_chain(data->cert);
|
||||
if (issuer)
|
||||
*find_chain = issuer->chain;
|
||||
}
|
||||
@ -3679,7 +3679,7 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_
|
||||
*find_chain = sk_X509_new_null();
|
||||
}
|
||||
|
||||
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
|
||||
/* Load all certs in the data into the ctx_chain for the ssl_ctx */
|
||||
#ifdef SSL_CTX_set1_chain
|
||||
if (!SSL_CTX_set1_chain(ctx, *find_chain)) {
|
||||
ret = ERR_get_error();
|
||||
@ -3730,14 +3730,14 @@ end:
|
||||
* The value 0 means there is no error nor warning and
|
||||
* the operation succeed.
|
||||
*/
|
||||
static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
|
||||
static int ssl_sock_put_ckch_into_ctx(const char *path, const struct ckch_data *data, SSL_CTX *ctx, char **err)
|
||||
{
|
||||
int errcode = 0;
|
||||
STACK_OF(X509) *find_chain = NULL;
|
||||
|
||||
ERR_clear_error();
|
||||
|
||||
if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
|
||||
if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) {
|
||||
int ret;
|
||||
|
||||
ret = ERR_get_error();
|
||||
@ -3748,7 +3748,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
|
||||
}
|
||||
|
||||
/* Load certificate chain */
|
||||
errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err);
|
||||
errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err);
|
||||
if (errcode & ERR_CODE)
|
||||
goto end;
|
||||
|
||||
@ -3759,7 +3759,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
|
||||
SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
|
||||
}
|
||||
|
||||
errcode |= ssl_sock_load_dh_params(ctx, ckch, path, err);
|
||||
errcode |= ssl_sock_load_dh_params(ctx, data, path, err);
|
||||
if (errcode & ERR_CODE) {
|
||||
memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
@ -3768,8 +3768,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
|
||||
if (sctl_ex_index >= 0 && ckch->sctl) {
|
||||
if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
|
||||
if (sctl_ex_index >= 0 && data->sctl) {
|
||||
if (ssl_sock_load_sctl(ctx, data->sctl) < 0) {
|
||||
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
errcode |= ERR_ALERT | ERR_FATAL;
|
||||
@ -3780,8 +3780,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
|
||||
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
|
||||
/* Load OCSP Info into context */
|
||||
if (ckch->ocsp_response) {
|
||||
if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {
|
||||
if (data->ocsp_response) {
|
||||
if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) {
|
||||
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
errcode |= ERR_ALERT | ERR_FATAL;
|
||||
@ -3803,21 +3803,21 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
|
||||
* The value 0 means there is no error nor warning and
|
||||
* the operation succeed.
|
||||
*/
|
||||
static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch,
|
||||
static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct ckch_data *data,
|
||||
SSL_CTX *ctx, char **err)
|
||||
{
|
||||
int errcode = 0;
|
||||
STACK_OF(X509) *find_chain = NULL;
|
||||
|
||||
/* Load the private key */
|
||||
if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
|
||||
if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) {
|
||||
memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
errcode |= ERR_ALERT | ERR_FATAL;
|
||||
}
|
||||
|
||||
/* Load certificate chain */
|
||||
errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err);
|
||||
errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err);
|
||||
if (errcode & ERR_CODE)
|
||||
goto end;
|
||||
|
||||
@ -3853,16 +3853,16 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
STACK_OF(GENERAL_NAME) *names;
|
||||
#endif
|
||||
struct cert_key_and_chain *ckch;
|
||||
struct ckch_data *data;
|
||||
struct ckch_inst *ckch_inst = NULL;
|
||||
int errcode = 0;
|
||||
|
||||
*ckchi = NULL;
|
||||
|
||||
if (!ckchs || !ckchs->ckch)
|
||||
if (!ckchs || !ckchs->data)
|
||||
return ERR_FATAL;
|
||||
|
||||
ckch = ckchs->ckch;
|
||||
data = ckchs->data;
|
||||
|
||||
ctx = SSL_CTX_new(SSLv23_server_method());
|
||||
if (!ctx) {
|
||||
@ -3872,7 +3872,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
|
||||
goto error;
|
||||
}
|
||||
|
||||
errcode |= ssl_sock_put_ckch_into_ctx(path, ckch, ctx, err);
|
||||
errcode |= ssl_sock_put_ckch_into_ctx(path, data, ctx, err);
|
||||
if (errcode & ERR_CODE)
|
||||
goto error;
|
||||
|
||||
@ -3884,7 +3884,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
|
||||
goto error;
|
||||
}
|
||||
|
||||
pkey = X509_get_pubkey(ckch->cert);
|
||||
pkey = X509_get_pubkey(data->cert);
|
||||
if (pkey) {
|
||||
kinfo.bits = EVP_PKEY_bits(pkey);
|
||||
switch(EVP_PKEY_base_id(pkey)) {
|
||||
@ -3913,7 +3913,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
|
||||
}
|
||||
else {
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
names = X509_get_ext_d2i(ckch->cert, NID_subject_alt_name, NULL, NULL);
|
||||
names = X509_get_ext_d2i(data->cert, NID_subject_alt_name, NULL, NULL);
|
||||
if (names) {
|
||||
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
|
||||
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
|
||||
@ -3932,7 +3932,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
|
||||
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
|
||||
}
|
||||
#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
|
||||
xname = X509_get_subject_name(ckch->cert);
|
||||
xname = X509_get_subject_name(data->cert);
|
||||
i = -1;
|
||||
while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
|
||||
X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
|
||||
@ -4014,16 +4014,16 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
|
||||
struct ckch_inst **ckchi, char **err)
|
||||
{
|
||||
SSL_CTX *ctx;
|
||||
struct cert_key_and_chain *ckch;
|
||||
struct ckch_data *data;
|
||||
struct ckch_inst *ckch_inst = NULL;
|
||||
int errcode = 0;
|
||||
|
||||
*ckchi = NULL;
|
||||
|
||||
if (!ckchs || !ckchs->ckch)
|
||||
if (!ckchs || !ckchs->data)
|
||||
return ERR_FATAL;
|
||||
|
||||
ckch = ckchs->ckch;
|
||||
data = ckchs->data;
|
||||
|
||||
ctx = SSL_CTX_new(SSLv23_client_method());
|
||||
if (!ctx) {
|
||||
@ -4033,7 +4033,7 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
|
||||
goto error;
|
||||
}
|
||||
|
||||
errcode |= ssl_sock_put_srv_ckch_into_ctx(path, ckch, ctx, err);
|
||||
errcode |= ssl_sock_put_srv_ckch_into_ctx(path, data, ctx, err);
|
||||
if (errcode & ERR_CODE)
|
||||
goto error;
|
||||
|
||||
@ -5714,7 +5714,7 @@ int
|
||||
ssl_sock_load_ca(struct bind_conf *bind_conf)
|
||||
{
|
||||
struct proxy *px = bind_conf->frontend;
|
||||
struct cert_key_and_chain *ckch = NULL;
|
||||
struct ckch_data *data = NULL;
|
||||
int ret = 0;
|
||||
char *err = NULL;
|
||||
|
||||
@ -5737,15 +5737,15 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
|
||||
}
|
||||
|
||||
/* Allocate cert structure */
|
||||
ckch = calloc(1, sizeof(*ckch));
|
||||
if (!ckch) {
|
||||
data = calloc(1, sizeof(*data));
|
||||
if (!data) {
|
||||
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain allocation failure\n",
|
||||
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
/* Try to parse file */
|
||||
if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, ckch, &err)) {
|
||||
if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, data, &err)) {
|
||||
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain loading failed: %s\n",
|
||||
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line, err);
|
||||
free(err);
|
||||
@ -5753,20 +5753,20 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
|
||||
}
|
||||
|
||||
/* Fail if missing cert or pkey */
|
||||
if ((!ckch->cert) || (!ckch->key)) {
|
||||
if ((!data->cert) || (!data->key)) {
|
||||
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain missing certificate or private key\n",
|
||||
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
/* Final assignment to bind */
|
||||
bind_conf->ca_sign_ckch = ckch;
|
||||
bind_conf->ca_sign_ckch = data;
|
||||
return ret;
|
||||
|
||||
failed:
|
||||
if (ckch) {
|
||||
ssl_sock_free_cert_key_and_chain_contents(ckch);
|
||||
free(ckch);
|
||||
if (data) {
|
||||
ssl_sock_free_cert_key_and_chain_contents(data);
|
||||
free(data);
|
||||
}
|
||||
|
||||
bind_conf->options &= ~BC_O_GENERATE_CERTS;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user