char *ca_sign_file; /* CAFile used to generate and sign server certificates */
char *ca_sign_pass; /* CAKey passphrase */
- struct cert_key_and_chain * ca_sign_ckch; /* CA and possible certificate chain for ca generation */
+ struct ckch_data *ca_sign_ckch; /* CA and possible certificate chain for ca generation */
#endif
#ifdef USE_QUIC
struct quic_transport_params quic_params; /* QUIC transport parameters. */
* This structure is the base one, in the case of a multi-cert bundle, we
* allocate 1 structure per type.
*/
-struct cert_key_and_chain {
+struct ckch_data {
X509 *cert;
EVP_PKEY *key;
STACK_OF(X509) *chain;
* this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and
* metadata.
*
+ * "ckch" for cert, key and chain.
+ *
* XXX: Once we remove the multi-cert bundle support, we could merge this structure
* with the cert_key_and_chain one.
*/
struct ckch_store {
- struct cert_key_and_chain *ckch;
+ struct ckch_data *data;
struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
struct list crtlist_entry; /* list of entries which use this store */
struct ebmb_node node;
struct cert_exts {
const char *ext;
int type;
- int (*load)(const char *path, char *payload, struct cert_key_and_chain *ckch, char **err);
+ int (*load)(const char *path, char *payload, struct ckch_data *data, char **err);
/* add a parsing callback */
};
/* cert_key_and_chain functions */
-int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err);
-int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err);
-void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch);
+int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err);
+int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *datackch , char **err);
+void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data);
-int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err);
-int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err);
-int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err);
-int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err);
+int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err);
+int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err);
+int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err);
+int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err);
/* ckch_store functions */
struct ckch_store *ckchs_load_cert_file(char *path, char **err);
char *err = NULL;
struct cert_exts *cert_ext = NULL;
char *filename;
- struct cert_key_and_chain *ckch;
+ struct ckch_data *data;
int ret;
if (lua_type(L, -1) != LUA_TTABLE)
goto end;
}
- ckch = new_ckchs->ckch;
+ data = new_ckchs->data;
/* loop on the field in the table, which have the same name as the
* possible extensions of files */
}
/* appply the change on the duplicate */
- if (cert_ext->load(filename, payload, ckch, &err) != 0) {
+ if (cert_ext->load(filename, payload, data, &err) != 0) {
memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
/* Try to load a sctl from a buffer <buf> if not NULL, or read the file <sctl_path>
* It fills the ckch->sctl buffer
* return 0 on success or != 0 on failure */
-int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err)
{
int fd = -1;
int r = 0;
goto end;
}
/* no error, fill ckch with new context, old context must be free */
- if (ckch->sctl) {
- ha_free(&ckch->sctl->area);
- free(ckch->sctl);
+ if (data->sctl) {
+ ha_free(&data->sctl->area);
+ free(data->sctl);
}
- ckch->sctl = sctl;
+ data->sctl = sctl;
ret = 0;
end:
if (fd != -1)
*
* Returns 0 on success, 1 in error case.
*/
-int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err)
{
int fd = -1;
int r = 0;
ha_free(&ocsp_response);
goto end;
}
- /* no error, fill ckch with new context, old context must be free */
- if (ckch->ocsp_response) {
- ha_free(&ckch->ocsp_response->area);
- free(ckch->ocsp_response);
+ /* no error, fill data with new context, old context must be free */
+ if (data->ocsp_response) {
+ ha_free(&data->ocsp_response->area);
+ free(data->ocsp_response);
}
- ckch->ocsp_response = ocsp_response;
+ data->ocsp_response = ocsp_response;
ret = 0;
end:
if (fd != -1)
* 0 on Success
* 1 on SSL Failure
*/
-int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err)
{
struct buffer *fp = NULL;
int ret = 1;
struct stat st;
/* try to load the PEM */
- if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
+ if (ssl_sock_load_pem_into_ckch(path, NULL, data , err) != 0) {
goto end;
}
}
- if (ckch->key == NULL) {
+ if (data->key == NULL) {
/* If no private key was found yet and we cannot look for it in extra
* files, raise an error.
*/
}
if (stat(fp->area, &st) == 0) {
- if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
+ if (ssl_sock_load_key_into_ckch(fp->area, NULL, data, err)) {
memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
err && *err ? *err : "", fp->area);
goto end;
}
}
- if (ckch->key == NULL) {
+ if (data->key == NULL) {
memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
goto end;
}
}
- if (!X509_check_private_key(ckch->cert, ckch->key)) {
+ if (!X509_check_private_key(data->cert, data->key)) {
memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
err && *err ? *err : "", path);
goto end;
}
if (stat(fp->area, &st) == 0) {
- if (ssl_sock_load_sctl_from_file(fp->area, NULL, ckch, err)) {
+ if (ssl_sock_load_sctl_from_file(fp->area, NULL, data, err)) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
err && *err ? *err : "", fp->area);
ret = 1;
}
if (stat(fp->area, &st) == 0) {
- if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, ckch, err)) {
+ if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, data, err)) {
ret = 1;
goto end;
}
}
#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
- if (ckch->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
+ if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
/* if no issuer was found, try to load an issuer from the .issuer */
- if (!ckch->ocsp_issuer) {
+ if (!data->ocsp_issuer) {
struct stat st;
if (!chunk_strcat(fp, ".issuer") || b_data(fp) > MAXPATHLEN) {
}
if (stat(fp->area, &st) == 0) {
- if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, ckch, err)) {
+ if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, data, err)) {
ret = 1;
goto end;
}
- if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) {
+ if (X509_check_issued(data->ocsp_issuer, data->cert) != X509_V_OK) {
memprintf(err, "%s '%s' is not an issuer'.\n",
err && *err ? *err : "", fp->area);
ret = 1;
/* Something went wrong in one of the reads */
if (ret != 0)
- ssl_sock_free_cert_key_and_chain_contents(ckch);
+ ssl_sock_free_cert_key_and_chain_contents(data);
free_trash_chunk(fp);
*
* Return 0 on success or != 0 on failure
*/
-int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
+int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err)
{
BIO *in = NULL;
int ret = 1;
ret = 0;
- SWAP(ckch->key, key);
+ SWAP(data->key, key);
end:
*
* Return 0 on success or != 0 on failure
*/
-int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
+int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err)
{
BIO *in = NULL;
int ret = 1;
goto end;
}
- /* once it loaded the PEM, it should remove everything else in the ckch */
- if (ckch->ocsp_response) {
- ha_free(&ckch->ocsp_response->area);
- ha_free(&ckch->ocsp_response);
+ /* once it loaded the PEM, it should remove everything else in the data */
+ if (data->ocsp_response) {
+ ha_free(&data->ocsp_response->area);
+ ha_free(&data->ocsp_response);
}
- if (ckch->sctl) {
- ha_free(&ckch->sctl->area);
- ha_free(&ckch->sctl);
+ if (data->sctl) {
+ ha_free(&data->sctl->area);
+ ha_free(&data->sctl);
}
- if (ckch->ocsp_issuer) {
- X509_free(ckch->ocsp_issuer);
- ckch->ocsp_issuer = NULL;
+ if (data->ocsp_issuer) {
+ X509_free(data->ocsp_issuer);
+ data->ocsp_issuer = NULL;
}
- /* no error, fill ckch with new context, old context will be free at end: */
- SWAP(ckch->key, key);
- SWAP(ckch->dh, dh);
- SWAP(ckch->cert, cert);
- SWAP(ckch->chain, chain);
+ /* no error, fill data with new context, old context will be free at end: */
+ SWAP(data->key, key);
+ SWAP(data->dh, dh);
+ SWAP(data->cert, cert);
+ SWAP(data->chain, chain);
ret = 0;
/* Frees the contents of a cert_key_and_chain
*/
-void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
+void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
{
- if (!ckch)
+ if (!data)
return;
/* Free the certificate and set pointer to NULL */
- if (ckch->cert)
- X509_free(ckch->cert);
- ckch->cert = NULL;
+ if (data->cert)
+ X509_free(data->cert);
+ data->cert = NULL;
/* Free the key and set pointer to NULL */
- if (ckch->key)
- EVP_PKEY_free(ckch->key);
- ckch->key = NULL;
+ if (data->key)
+ EVP_PKEY_free(data->key);
+ data->key = NULL;
/* Free each certificate in the chain */
- if (ckch->chain)
- sk_X509_pop_free(ckch->chain, X509_free);
- ckch->chain = NULL;
+ if (data->chain)
+ sk_X509_pop_free(data->chain, X509_free);
+ data->chain = NULL;
- if (ckch->dh)
- HASSL_DH_free(ckch->dh);
- ckch->dh = NULL;
+ if (data->dh)
+ HASSL_DH_free(data->dh);
+ data->dh = NULL;
- if (ckch->sctl) {
- ha_free(&ckch->sctl->area);
- ha_free(&ckch->sctl);
+ if (data->sctl) {
+ ha_free(&data->sctl->area);
+ ha_free(&data->sctl);
}
- if (ckch->ocsp_response) {
- ha_free(&ckch->ocsp_response->area);
- ha_free(&ckch->ocsp_response);
+ if (data->ocsp_response) {
+ ha_free(&data->ocsp_response->area);
+ ha_free(&data->ocsp_response);
}
- if (ckch->ocsp_issuer)
- X509_free(ckch->ocsp_issuer);
- ckch->ocsp_issuer = NULL;
+ if (data->ocsp_issuer)
+ X509_free(data->ocsp_issuer);
+ data->ocsp_issuer = NULL;
}
/*
*
* Return a the dst or NULL
*/
-struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_chain *src,
- struct cert_key_and_chain *dst)
+struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
+ struct ckch_data *dst)
{
if (!src || !dst)
return NULL;
/*
* return 0 on success or != 0 on failure
*/
-int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err)
+int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err)
{
int ret = 1;
BIO *in = NULL;
err && *err ? *err : "", path);
goto end;
}
- /* no error, fill ckch with new context, old context must be free */
- if (ckch->ocsp_issuer)
- X509_free(ckch->ocsp_issuer);
- ckch->ocsp_issuer = issuer;
+ /* no error, fill data with new context, old context must be free */
+ if (data->ocsp_issuer)
+ X509_free(data->ocsp_issuer);
+ data->ocsp_issuer = issuer;
ret = 0;
end:
if (!store)
return;
- ssl_sock_free_cert_key_and_chain_contents(store->ckch);
+ ssl_sock_free_cert_key_and_chain_contents(store->data);
- ha_free(&store->ckch);
+ ha_free(&store->data);
list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) {
ckch_inst_free(inst);
LIST_INIT(&store->ckch_inst);
LIST_INIT(&store->crtlist_entry);
- store->ckch = calloc(1, sizeof(*store->ckch));
- if (!store->ckch)
+ store->data = calloc(1, sizeof(*store->data));
+ if (!store->data)
goto error;
return store;
if (!dst)
return NULL;
- if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
+ if (!ssl_sock_copy_cert_key_and_chain(src->data, dst->data))
goto error;
return dst;
goto end;
}
- if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
+ if (ssl_sock_load_files_into_ckch(path, ckchs->data, err) == 1)
goto end;
/* insert into the ckchs tree */
*key_length = 0;
- if (!ckch_store->ckch->ocsp_response)
+ if (!ckch_store->data->ocsp_response)
return 0;
- p = (unsigned char *) ckch_store->ckch->ocsp_response->area;
+ p = (unsigned char *) ckch_store->data->ocsp_response->area;
resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
- ckch_store->ckch->ocsp_response->data);
+ ckch_store->data->ocsp_response->data);
if (!resp) {
goto end;
}
chunk_appendf(out, "%s\n", ckchs->path);
chunk_appendf(out, "Status: ");
- if (ckchs->ckch->cert == NULL)
+ if (ckchs->data->cert == NULL)
chunk_appendf(out, "Empty\n");
else if (LIST_ISEMPTY(&ckchs->ckch_inst))
chunk_appendf(out, "Unused\n");
else
chunk_appendf(out, "Used\n");
- retval = show_cert_detail(ckchs->ckch->cert, ckchs->ckch->chain, out);
+ retval = show_cert_detail(ckchs->data->cert, ckchs->data->chain, out);
if (retval < 0)
goto end_no_putchk;
else if (retval)
* need to dump the ckch's ocsp_response buffer directly.
* Otherwise, we must rebuild the certificate's certid in order to
* look for the current OCSP response in the tree. */
- if (from_transaction && ckchs->ckch->ocsp_response) {
- if (ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out))
+ if (from_transaction && ckchs->data->ocsp_response) {
+ if (ssl_ocsp_response_print(ckchs->data->ocsp_response, out))
goto end_no_putchk;
}
else {
}
/* if a certificate is here, a private key must be here too */
- if (ckchs_transaction.new_ckchs->ckch->cert && !ckchs_transaction.new_ckchs->ckch->key) {
+ if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) {
memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
goto error;
}
- if (!X509_check_private_key(ckchs_transaction.new_ckchs->ckch->cert, ckchs_transaction.new_ckchs->ckch->key)) {
+ if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
goto error;
}
int errcode = 0;
char *end;
struct cert_exts *cert_ext = &cert_exts[0]; /* default one, PEM */
- struct cert_key_and_chain *ckch;
+ struct ckch_data *data;
struct buffer *buf;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
goto end;
}
- ckch = new_ckchs->ckch;
+ data = new_ckchs->data;
/* appply the change on the duplicate */
- if (cert_ext->load(buf->area, payload, ckch, &err) != 0) {
+ if (cert_ext->load(buf->area, payload, data, &err) != 0) {
memprintf(&err, "%sCan't load the payload\n", err ? err : "");
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
memprintf(&err, "certificate '%s' does not exist!", cert_path);
goto error;
}
- if (store->ckch == NULL || store->ckch->cert == NULL) {
+ if (store->data == NULL || store->data->cert == NULL) {
memprintf(&err, "certificate '%s' is empty!", cert_path);
goto error;
}
memprintf(&err, "certificate '%s' does not exist!", cert_path);
goto error;
}
- if (store->ckch == NULL || store->ckch->cert == NULL) {
+ if (store->data == NULL || store->data->cert == NULL) {
memprintf(&err, "certificate '%s' is empty!", cert_path);
goto error;
}
* Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
* successfully enabled, or -1 in other error case.
*/
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
{
X509 *x, *issuer;
OCSP_CERTID *cid = NULL;
#endif
- x = ckch->cert;
+ x = data->cert;
if (!x)
goto out;
- issuer = ckch->ocsp_issuer;
+ issuer = data->ocsp_issuer;
/* take issuer from chain over ocsp_issuer, is what is done historicaly */
if (chain) {
/* check if one of the certificate of the chain is the issuer */
ret = 0;
warn = NULL;
- if (ssl_sock_load_ocsp_response(ckch->ocsp_response, iocsp, cid, &warn)) {
+ if (ssl_sock_load_ocsp_response(data->ocsp_response, iocsp, cid, &warn)) {
memprintf(&warn, "Loading: %s. Content will be ignored", warn ? warn : "failure");
ha_warning("%s.\n", warn);
}
#endif
#ifdef OPENSSL_IS_BORINGSSL
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
{
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
}
* the operation succeed.
*/
#ifndef OPENSSL_NO_DH
-static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain *ckch,
+static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct ckch_data *data,
const char *path, char **err)
{
int ret = 0;
HASSL_DH *dh = NULL;
- if (ckch && ckch->dh) {
- dh = ckch->dh;
+ if (data && data->dh) {
+ dh = data->dh;
if (!ssl_sock_set_tmp_dh(ctx, dh)) {
memprintf(err, "%sunable to load the DH parameter specified in '%s'",
err && *err ? *err : "", path);
#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
#else
- ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL);
+ ssl_sock_set_tmp_dh_from_pkey(ctx, data ? data->key : NULL);
#endif
}
}
* The value 0 means there is no error nor warning and
* the operation succeed.
*/
-static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_chain *ckch,
+static int ssl_sock_load_cert_chain(const char *path, const struct ckch_data *data,
SSL_CTX *ctx, STACK_OF(X509) **find_chain, char **err)
{
int errcode = 0;
goto end;
}
- if (!SSL_CTX_use_certificate(ctx, ckch->cert)) {
+ if (!SSL_CTX_use_certificate(ctx, data->cert)) {
ret = ERR_get_error();
memprintf(err, "%sunable to load SSL certificate into SSL Context '%s': %s.\n",
err && *err ? *err : "", path, ERR_reason_error_string(ret));
goto end;
}
- if (ckch->chain) {
- *find_chain = ckch->chain;
+ if (data->chain) {
+ *find_chain = data->chain;
} else {
/* Find Certificate Chain in global */
struct issuer_chain *issuer;
- issuer = ssl_get0_issuer_chain(ckch->cert);
+ issuer = ssl_get0_issuer_chain(data->cert);
if (issuer)
*find_chain = issuer->chain;
}
*find_chain = sk_X509_new_null();
}
- /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+ /* Load all certs in the data into the ctx_chain for the ssl_ctx */
#ifdef SSL_CTX_set1_chain
if (!SSL_CTX_set1_chain(ctx, *find_chain)) {
ret = ERR_get_error();
* The value 0 means there is no error nor warning and
* the operation succeed.
*/
-static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
+static int ssl_sock_put_ckch_into_ctx(const char *path, const struct ckch_data *data, SSL_CTX *ctx, char **err)
{
int errcode = 0;
STACK_OF(X509) *find_chain = NULL;
ERR_clear_error();
- if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
+ if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) {
int ret;
ret = ERR_get_error();
}
/* Load certificate chain */
- errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err);
+ errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err);
if (errcode & ERR_CODE)
goto end;
SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
}
- errcode |= ssl_sock_load_dh_params(ctx, ckch, path, err);
+ errcode |= ssl_sock_load_dh_params(ctx, data, path, err);
if (errcode & ERR_CODE) {
memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
err && *err ? *err : "", path);
#endif
#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
- if (sctl_ex_index >= 0 && ckch->sctl) {
- if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
+ if (sctl_ex_index >= 0 && data->sctl) {
+ if (ssl_sock_load_sctl(ctx, data->sctl) < 0) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
/* Load OCSP Info into context */
- if (ckch->ocsp_response) {
- if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {
+ if (data->ocsp_response) {
+ if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) {
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
* The value 0 means there is no error nor warning and
* the operation succeed.
*/
-static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch,
+static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct ckch_data *data,
SSL_CTX *ctx, char **err)
{
int errcode = 0;
STACK_OF(X509) *find_chain = NULL;
/* Load the private key */
- if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
+ if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) {
memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
}
/* Load certificate chain */
- errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err);
+ errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err);
if (errcode & ERR_CODE)
goto end;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
STACK_OF(GENERAL_NAME) *names;
#endif
- struct cert_key_and_chain *ckch;
+ struct ckch_data *data;
struct ckch_inst *ckch_inst = NULL;
int errcode = 0;
*ckchi = NULL;
- if (!ckchs || !ckchs->ckch)
+ if (!ckchs || !ckchs->data)
return ERR_FATAL;
- ckch = ckchs->ckch;
+ data = ckchs->data;
ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
goto error;
}
- errcode |= ssl_sock_put_ckch_into_ctx(path, ckch, ctx, err);
+ errcode |= ssl_sock_put_ckch_into_ctx(path, data, ctx, err);
if (errcode & ERR_CODE)
goto error;
goto error;
}
- pkey = X509_get_pubkey(ckch->cert);
+ pkey = X509_get_pubkey(data->cert);
if (pkey) {
kinfo.bits = EVP_PKEY_bits(pkey);
switch(EVP_PKEY_base_id(pkey)) {
}
else {
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
- names = X509_get_ext_d2i(ckch->cert, NID_subject_alt_name, NULL, NULL);
+ names = X509_get_ext_d2i(data->cert, NID_subject_alt_name, NULL, NULL);
if (names) {
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
- xname = X509_get_subject_name(ckch->cert);
+ xname = X509_get_subject_name(data->cert);
i = -1;
while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
struct ckch_inst **ckchi, char **err)
{
SSL_CTX *ctx;
- struct cert_key_and_chain *ckch;
+ struct ckch_data *data;
struct ckch_inst *ckch_inst = NULL;
int errcode = 0;
*ckchi = NULL;
- if (!ckchs || !ckchs->ckch)
+ if (!ckchs || !ckchs->data)
return ERR_FATAL;
- ckch = ckchs->ckch;
+ data = ckchs->data;
ctx = SSL_CTX_new(SSLv23_client_method());
if (!ctx) {
goto error;
}
- errcode |= ssl_sock_put_srv_ckch_into_ctx(path, ckch, ctx, err);
+ errcode |= ssl_sock_put_srv_ckch_into_ctx(path, data, ctx, err);
if (errcode & ERR_CODE)
goto error;
ssl_sock_load_ca(struct bind_conf *bind_conf)
{
struct proxy *px = bind_conf->frontend;
- struct cert_key_and_chain *ckch = NULL;
+ struct ckch_data *data = NULL;
int ret = 0;
char *err = NULL;
}
/* Allocate cert structure */
- ckch = calloc(1, sizeof(*ckch));
- if (!ckch) {
+ data = calloc(1, sizeof(*data));
+ if (!data) {
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain allocation failure\n",
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
goto failed;
}
/* Try to parse file */
- if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, ckch, &err)) {
+ if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, data, &err)) {
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain loading failed: %s\n",
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line, err);
free(err);
}
/* Fail if missing cert or pkey */
- if ((!ckch->cert) || (!ckch->key)) {
+ if ((!data->cert) || (!data->key)) {
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain missing certificate or private key\n",
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
goto failed;
}
/* Final assignment to bind */
- bind_conf->ca_sign_ckch = ckch;
+ bind_conf->ca_sign_ckch = data;
return ret;
failed:
- if (ckch) {
- ssl_sock_free_cert_key_and_chain_contents(ckch);
- free(ckch);
+ if (data) {
+ ssl_sock_free_cert_key_and_chain_contents(data);
+ free(data);
}
bind_conf->options &= ~BC_O_GENERATE_CERTS;
projects / thirdparty / haproxy.git / commitdiff
