CLEANUP: ssl: Move ssl_store related code to ssl_ckch.c
This patch moves all the ssl_store related code to ssl_ckch.c since it will mostly be used there once the CA file update CLI commands are all implemented. It also makes the cafile_entry structure visible as well as the cafile_tree.
This commit is contained in:
Remi Tricot-Le Breton
William Lallemand
parent
1f97306ecc
commit
af8820a9a5
@ -95,5 +95,16 @@ struct ckch_inst {
|
||||
struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
|
||||
};
|
||||
|
||||
|
||||
/*
|
||||
* deduplicate cafile (and crlfile)
|
||||
*/
|
||||
struct cafile_entry {
|
||||
X509_STORE *ca_store;
|
||||
STACK_OF(X509_NAME) *ca_list;
|
||||
struct ebmb_node node;
|
||||
char path[0];
|
||||
};
|
||||
|
||||
#endif /* USE_OPENSSL */
|
||||
#endif /* _HAPROXY_SSL_CKCH_T_H */
|
||||
|
||||
@ -54,5 +54,9 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
|
||||
|
||||
void ckch_deinit();
|
||||
|
||||
/* ssl_store functions */
|
||||
X509_STORE* ssl_store_get0_locations_file(char *path);
|
||||
int ssl_store_load_locations_file(char *path, int create_if_none);
|
||||
|
||||
#endif /* USE_OPENSSL */
|
||||
#endif /* _HAPROXY_SSL_CRTLIST_H */
|
||||
|
||||
@ -36,6 +36,7 @@ extern int sslconns;
|
||||
extern int totalsslconns;
|
||||
extern struct eb_root ckchs_tree;
|
||||
extern struct eb_root crtlists_tree;
|
||||
extern struct eb_root cafile_tree;
|
||||
extern int sctl_ex_index;
|
||||
extern struct global_ssl global_ssl;
|
||||
extern struct ssl_bind_kw ssl_bind_kws[];
|
||||
@ -120,7 +121,6 @@ int ssl_sock_load_srv_cert(char *path, struct server *server, char **err);
|
||||
void ssl_free_global_issuers(void);
|
||||
int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
|
||||
int ssl_init_single_engine(const char *engine_id, const char *def_algorithms);
|
||||
int ssl_store_load_locations_file(char *path, int create_if_none);
|
||||
|
||||
/* ssl shctx macro */
|
||||
|
||||
|
||||
@ -38,6 +38,7 @@
|
||||
#include <haproxy/openssl-compat.h>
|
||||
#include <haproxy/ssl_sock.h>
|
||||
#include <haproxy/tools.h>
|
||||
#include <haproxy/ssl_ckch.h>
|
||||
|
||||
|
||||
/****************** Global Section Parsing ********************************************/
|
||||
|
||||
@ -921,6 +921,51 @@ struct ckch_inst *ckch_inst_new()
|
||||
return ckch_inst;
|
||||
}
|
||||
|
||||
|
||||
/******************** ssl_store functions ******************************/
|
||||
struct eb_root cafile_tree = EB_ROOT_UNIQUE;
|
||||
|
||||
X509_STORE* ssl_store_get0_locations_file(char *path)
|
||||
{
|
||||
struct ebmb_node *eb;
|
||||
|
||||
eb = ebst_lookup(&cafile_tree, path);
|
||||
if (eb) {
|
||||
struct cafile_entry *ca_e;
|
||||
ca_e = ebmb_entry(eb, struct cafile_entry, node);
|
||||
return ca_e->ca_store;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int ssl_store_load_locations_file(char *path, int create_if_none)
|
||||
{
|
||||
X509_STORE *store = ssl_store_get0_locations_file(path);
|
||||
|
||||
/* If this function is called by the CLI, we should not call the
|
||||
* X509_STORE_load_locations function because it performs forbidden disk
|
||||
* accesses. */
|
||||
if (!store && create_if_none) {
|
||||
struct cafile_entry *ca_e;
|
||||
store = X509_STORE_new();
|
||||
if (X509_STORE_load_locations(store, path, NULL)) {
|
||||
int pathlen;
|
||||
pathlen = strlen(path);
|
||||
ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
|
||||
if (ca_e) {
|
||||
memcpy(ca_e->path, path, pathlen + 1);
|
||||
ca_e->ca_store = store;
|
||||
ebst_insert(&cafile_tree, &ca_e->node);
|
||||
}
|
||||
} else {
|
||||
X509_STORE_free(store);
|
||||
store = NULL;
|
||||
}
|
||||
}
|
||||
return (store != NULL);
|
||||
}
|
||||
|
||||
|
||||
/*************************** CLI commands ***********************/
|
||||
|
||||
/* Type of SSL payloads that can be updated over the CLI */
|
||||
|
||||
@ -315,57 +315,6 @@ static int ssl_locking_init(void)
|
||||
__decl_thread(HA_SPINLOCK_T ckch_lock);
|
||||
|
||||
|
||||
/*
|
||||
* deduplicate cafile (and crlfile)
|
||||
*/
|
||||
struct cafile_entry {
|
||||
X509_STORE *ca_store;
|
||||
STACK_OF(X509_NAME) *ca_list;
|
||||
struct ebmb_node node;
|
||||
char path[0];
|
||||
};
|
||||
|
||||
static struct eb_root cafile_tree = EB_ROOT_UNIQUE;
|
||||
|
||||
static X509_STORE* ssl_store_get0_locations_file(char *path)
|
||||
{
|
||||
struct ebmb_node *eb;
|
||||
|
||||
eb = ebst_lookup(&cafile_tree, path);
|
||||
if (eb) {
|
||||
struct cafile_entry *ca_e;
|
||||
ca_e = ebmb_entry(eb, struct cafile_entry, node);
|
||||
return ca_e->ca_store;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int ssl_store_load_locations_file(char *path, int create_if_none)
|
||||
{
|
||||
X509_STORE *store = ssl_store_get0_locations_file(path);
|
||||
|
||||
/* If this function is called by the CLI, we should not call the
|
||||
* X509_STORE_load_locations function because it performs forbidden disk
|
||||
* accesses. */
|
||||
if (!store && create_if_none) {
|
||||
struct cafile_entry *ca_e;
|
||||
store = X509_STORE_new();
|
||||
if (X509_STORE_load_locations(store, path, NULL)) {
|
||||
int pathlen;
|
||||
pathlen = strlen(path);
|
||||
ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
|
||||
if (ca_e) {
|
||||
memcpy(ca_e->path, path, pathlen + 1);
|
||||
ca_e->ca_store = store;
|
||||
ebst_insert(&cafile_tree, &ca_e->node);
|
||||
}
|
||||
} else {
|
||||
X509_STORE_free(store);
|
||||
store = NULL;
|
||||
}
|
||||
}
|
||||
return (store != NULL);
|
||||
}
|
||||
|
||||
/* mimic what X509_STORE_load_locations do with store_ctx */
|
||||
static int ssl_set_cert_crl_file(X509_STORE *store_ctx, char *path)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user