From: William Lallemand Date: Tue, 22 Nov 2022 10:51:53 +0000 (+0100) Subject: MEDIUM: ssl: rename the struct "cert_key_and_chain" to "ckch_data" X-Git-Tag: v2.8-dev1~200 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52ddd99940a9580cd6a70af1e5469ad10fc9fa1b;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: rename the struct "cert_key_and_chain" to "ckch_data" Rename the structure "cert_key_and_chain" to "ckch_data" in order to avoid confusion with the store whcih often called "ckchs". The "cert_key_and_chain *ckch" were renamed "ckch_data *data", so we now have store->data instead of ckchs->ckch. Marked medium because it changes the API. --- diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index 46921a4b98..e32190d463 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -186,7 +186,7 @@ struct bind_conf { char *ca_sign_file; /* CAFile used to generate and sign server certificates */ char *ca_sign_pass; /* CAKey passphrase */ - struct cert_key_and_chain * ca_sign_ckch; /* CA and possible certificate chain for ca generation */ + struct ckch_data *ca_sign_ckch; /* CA and possible certificate chain for ca generation */ #endif #ifdef USE_QUIC struct quic_transport_params quic_params; /* QUIC transport parameters. */ diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index c630e98112..973d73b236 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -46,7 +46,7 @@ * This structure is the base one, in the case of a multi-cert bundle, we * allocate 1 structure per type. */ -struct cert_key_and_chain { +struct ckch_data { X509 *cert; EVP_PKEY *key; STACK_OF(X509) *chain; @@ -60,11 +60,13 @@ struct cert_key_and_chain { * this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and * metadata. * + * "ckch" for cert, key and chain. + * * XXX: Once we remove the multi-cert bundle support, we could merge this structure * with the cert_key_and_chain one. */ struct ckch_store { - struct cert_key_and_chain *ckch; + struct ckch_data *data; struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */ struct list crtlist_entry; /* list of entries which use this store */ struct ebmb_node node; @@ -150,7 +152,7 @@ enum { struct cert_exts { const char *ext; int type; - int (*load)(const char *path, char *payload, struct cert_key_and_chain *ckch, char **err); + int (*load)(const char *path, char *payload, struct ckch_data *data, char **err); /* add a parsing callback */ }; diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 21eb0d26f6..64ac3df5ab 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -27,14 +27,14 @@ /* cert_key_and_chain functions */ -int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err); -int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err); -void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch); +int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err); +int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *datackch , char **err); +void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data); -int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err); -int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err); -int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err); -int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err); +int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err); +int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err); +int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err); +int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err); /* ckch_store functions */ struct ckch_store *ckchs_load_cert_file(char *path, char **err); diff --git a/src/hlua.c b/src/hlua.c index 75176a6854..35f9c8f560 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -11609,7 +11609,7 @@ __LJMP static int hlua_ckch_set(lua_State *L) char *err = NULL; struct cert_exts *cert_ext = NULL; char *filename; - struct cert_key_and_chain *ckch; + struct ckch_data *data; int ret; if (lua_type(L, -1) != LUA_TTABLE) @@ -11646,7 +11646,7 @@ __LJMP static int hlua_ckch_set(lua_State *L) goto end; } - ckch = new_ckchs->ckch; + data = new_ckchs->data; /* loop on the field in the table, which have the same name as the * possible extensions of files */ @@ -11676,7 +11676,7 @@ __LJMP static int hlua_ckch_set(lua_State *L) } /* appply the change on the duplicate */ - if (cert_ext->load(filename, payload, ckch, &err) != 0) { + if (cert_ext->load(filename, payload, data, &err) != 0) { memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext); errcode |= ERR_ALERT | ERR_FATAL; goto end; diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 58430476eb..7a6168a019 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -165,7 +165,7 @@ out: /* Try to load a sctl from a buffer if not NULL, or read the file * It fills the ckch->sctl buffer * return 0 on success or != 0 on failure */ -int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err) +int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err) { int fd = -1; int r = 0; @@ -208,11 +208,11 @@ int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_k goto end; } /* no error, fill ckch with new context, old context must be free */ - if (ckch->sctl) { - ha_free(&ckch->sctl->area); - free(ckch->sctl); + if (data->sctl) { + ha_free(&data->sctl->area); + free(data->sctl); } - ckch->sctl = sctl; + data->sctl = sctl; ret = 0; end: if (fd != -1) @@ -228,7 +228,7 @@ end: * * Returns 0 on success, 1 in error case. */ -int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err) +int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err) { int fd = -1; int r = 0; @@ -287,12 +287,12 @@ int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, stru ha_free(&ocsp_response); goto end; } - /* no error, fill ckch with new context, old context must be free */ - if (ckch->ocsp_response) { - ha_free(&ckch->ocsp_response->area); - free(ckch->ocsp_response); + /* no error, fill data with new context, old context must be free */ + if (data->ocsp_response) { + ha_free(&data->ocsp_response->area); + free(data->ocsp_response); } - ckch->ocsp_response = ocsp_response; + data->ocsp_response = ocsp_response; ret = 0; end: if (fd != -1) @@ -317,14 +317,14 @@ end: * 0 on Success * 1 on SSL Failure */ -int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err) +int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char **err) { struct buffer *fp = NULL; int ret = 1; struct stat st; /* try to load the PEM */ - if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) { + if (ssl_sock_load_pem_into_ckch(path, NULL, data , err) != 0) { goto end; } @@ -356,7 +356,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c } - if (ckch->key == NULL) { + if (data->key == NULL) { /* If no private key was found yet and we cannot look for it in extra * files, raise an error. */ @@ -374,14 +374,14 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c } if (stat(fp->area, &st) == 0) { - if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) { + if (ssl_sock_load_key_into_ckch(fp->area, NULL, data, err)) { memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n", err && *err ? *err : "", fp->area); goto end; } } - if (ckch->key == NULL) { + if (data->key == NULL) { memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area); goto end; } @@ -391,7 +391,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c } - if (!X509_check_private_key(ckch->cert, ckch->key)) { + if (!X509_check_private_key(data->cert, data->key)) { memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n", err && *err ? *err : "", path); goto end; @@ -410,7 +410,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c } if (stat(fp->area, &st) == 0) { - if (ssl_sock_load_sctl_from_file(fp->area, NULL, ckch, err)) { + if (ssl_sock_load_sctl_from_file(fp->area, NULL, data, err)) { memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", err && *err ? *err : "", fp->area); ret = 1; @@ -435,7 +435,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c } if (stat(fp->area, &st) == 0) { - if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, ckch, err)) { + if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, data, err)) { ret = 1; goto end; } @@ -446,9 +446,9 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c } #ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */ - if (ckch->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) { + if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) { /* if no issuer was found, try to load an issuer from the .issuer */ - if (!ckch->ocsp_issuer) { + if (!data->ocsp_issuer) { struct stat st; if (!chunk_strcat(fp, ".issuer") || b_data(fp) > MAXPATHLEN) { @@ -459,12 +459,12 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c } if (stat(fp->area, &st) == 0) { - if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, ckch, err)) { + if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, data, err)) { ret = 1; goto end; } - if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) { + if (X509_check_issued(data->ocsp_issuer, data->cert) != X509_V_OK) { memprintf(err, "%s '%s' is not an issuer'.\n", err && *err ? *err : "", fp->area); ret = 1; @@ -486,7 +486,7 @@ end: /* Something went wrong in one of the reads */ if (ret != 0) - ssl_sock_free_cert_key_and_chain_contents(ckch); + ssl_sock_free_cert_key_and_chain_contents(data); free_trash_chunk(fp); @@ -500,7 +500,7 @@ end: * * Return 0 on success or != 0 on failure */ -int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err) +int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err) { BIO *in = NULL; int ret = 1; @@ -534,7 +534,7 @@ int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and ret = 0; - SWAP(ckch->key, key); + SWAP(data->key, key); end: @@ -556,7 +556,7 @@ end: * * Return 0 on success or != 0 on failure */ -int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err) +int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err) { BIO *in = NULL; int ret = 1; @@ -639,27 +639,27 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and goto end; } - /* once it loaded the PEM, it should remove everything else in the ckch */ - if (ckch->ocsp_response) { - ha_free(&ckch->ocsp_response->area); - ha_free(&ckch->ocsp_response); + /* once it loaded the PEM, it should remove everything else in the data */ + if (data->ocsp_response) { + ha_free(&data->ocsp_response->area); + ha_free(&data->ocsp_response); } - if (ckch->sctl) { - ha_free(&ckch->sctl->area); - ha_free(&ckch->sctl); + if (data->sctl) { + ha_free(&data->sctl->area); + ha_free(&data->sctl); } - if (ckch->ocsp_issuer) { - X509_free(ckch->ocsp_issuer); - ckch->ocsp_issuer = NULL; + if (data->ocsp_issuer) { + X509_free(data->ocsp_issuer); + data->ocsp_issuer = NULL; } - /* no error, fill ckch with new context, old context will be free at end: */ - SWAP(ckch->key, key); - SWAP(ckch->dh, dh); - SWAP(ckch->cert, cert); - SWAP(ckch->chain, chain); + /* no error, fill data with new context, old context will be free at end: */ + SWAP(data->key, key); + SWAP(data->dh, dh); + SWAP(data->cert, cert); + SWAP(data->chain, chain); ret = 0; @@ -682,43 +682,43 @@ end: /* Frees the contents of a cert_key_and_chain */ -void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch) +void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data) { - if (!ckch) + if (!data) return; /* Free the certificate and set pointer to NULL */ - if (ckch->cert) - X509_free(ckch->cert); - ckch->cert = NULL; + if (data->cert) + X509_free(data->cert); + data->cert = NULL; /* Free the key and set pointer to NULL */ - if (ckch->key) - EVP_PKEY_free(ckch->key); - ckch->key = NULL; + if (data->key) + EVP_PKEY_free(data->key); + data->key = NULL; /* Free each certificate in the chain */ - if (ckch->chain) - sk_X509_pop_free(ckch->chain, X509_free); - ckch->chain = NULL; + if (data->chain) + sk_X509_pop_free(data->chain, X509_free); + data->chain = NULL; - if (ckch->dh) - HASSL_DH_free(ckch->dh); - ckch->dh = NULL; + if (data->dh) + HASSL_DH_free(data->dh); + data->dh = NULL; - if (ckch->sctl) { - ha_free(&ckch->sctl->area); - ha_free(&ckch->sctl); + if (data->sctl) { + ha_free(&data->sctl->area); + ha_free(&data->sctl); } - if (ckch->ocsp_response) { - ha_free(&ckch->ocsp_response->area); - ha_free(&ckch->ocsp_response); + if (data->ocsp_response) { + ha_free(&data->ocsp_response->area); + ha_free(&data->ocsp_response); } - if (ckch->ocsp_issuer) - X509_free(ckch->ocsp_issuer); - ckch->ocsp_issuer = NULL; + if (data->ocsp_issuer) + X509_free(data->ocsp_issuer); + data->ocsp_issuer = NULL; } /* @@ -730,8 +730,8 @@ void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch) * * Return a the dst or NULL */ -struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_chain *src, - struct cert_key_and_chain *dst) +struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src, + struct ckch_data *dst) { if (!src || !dst) return NULL; @@ -801,7 +801,7 @@ error: /* * return 0 on success or != 0 on failure */ -int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err) +int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err) { int ret = 1; BIO *in = NULL; @@ -831,10 +831,10 @@ int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert err && *err ? *err : "", path); goto end; } - /* no error, fill ckch with new context, old context must be free */ - if (ckch->ocsp_issuer) - X509_free(ckch->ocsp_issuer); - ckch->ocsp_issuer = issuer; + /* no error, fill data with new context, old context must be free */ + if (data->ocsp_issuer) + X509_free(data->ocsp_issuer); + data->ocsp_issuer = issuer; ret = 0; end: @@ -861,9 +861,9 @@ void ckch_store_free(struct ckch_store *store) if (!store) return; - ssl_sock_free_cert_key_and_chain_contents(store->ckch); + ssl_sock_free_cert_key_and_chain_contents(store->data); - ha_free(&store->ckch); + ha_free(&store->data); list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) { ckch_inst_free(inst); @@ -894,8 +894,8 @@ struct ckch_store *ckch_store_new(const char *filename) LIST_INIT(&store->ckch_inst); LIST_INIT(&store->crtlist_entry); - store->ckch = calloc(1, sizeof(*store->ckch)); - if (!store->ckch) + store->data = calloc(1, sizeof(*store->data)); + if (!store->data) goto error; return store; @@ -917,7 +917,7 @@ struct ckch_store *ckchs_dup(const struct ckch_store *src) if (!dst) return NULL; - if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch)) + if (!ssl_sock_copy_cert_key_and_chain(src->data, dst->data)) goto error; return dst; @@ -955,7 +955,7 @@ struct ckch_store *ckchs_load_cert_file(char *path, char **err) goto end; } - if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1) + if (ssl_sock_load_files_into_ckch(path, ckchs->data, err) == 1) goto end; /* insert into the ckchs tree */ @@ -1773,13 +1773,13 @@ static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char *key_length = 0; - if (!ckch_store->ckch->ocsp_response) + if (!ckch_store->data->ocsp_response) return 0; - p = (unsigned char *) ckch_store->ckch->ocsp_response->area; + p = (unsigned char *) ckch_store->data->ocsp_response->area; resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p, - ckch_store->ckch->ocsp_response->data); + ckch_store->data->ocsp_response->data); if (!resp) { goto end; } @@ -1849,14 +1849,14 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx) chunk_appendf(out, "%s\n", ckchs->path); chunk_appendf(out, "Status: "); - if (ckchs->ckch->cert == NULL) + if (ckchs->data->cert == NULL) chunk_appendf(out, "Empty\n"); else if (LIST_ISEMPTY(&ckchs->ckch_inst)) chunk_appendf(out, "Unused\n"); else chunk_appendf(out, "Used\n"); - retval = show_cert_detail(ckchs->ckch->cert, ckchs->ckch->chain, out); + retval = show_cert_detail(ckchs->data->cert, ckchs->data->chain, out); if (retval < 0) goto end_no_putchk; else if (retval) @@ -1895,8 +1895,8 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx) * need to dump the ckch's ocsp_response buffer directly. * Otherwise, we must rebuild the certificate's certid in order to * look for the current OCSP response in the tree. */ - if (from_transaction && ckchs->ckch->ocsp_response) { - if (ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out)) + if (from_transaction && ckchs->data->ocsp_response) { + if (ssl_ocsp_response_print(ckchs->data->ocsp_response, out)) goto end_no_putchk; } else { @@ -2292,12 +2292,12 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc } /* if a certificate is here, a private key must be here too */ - if (ckchs_transaction.new_ckchs->ckch->cert && !ckchs_transaction.new_ckchs->ckch->key) { + if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) { memprintf(&err, "The transaction must contain at least a certificate and a private key!\n"); goto error; } - if (!X509_check_private_key(ckchs_transaction.new_ckchs->ckch->cert, ckchs_transaction.new_ckchs->ckch->key)) { + if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) { memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path); goto error; } @@ -2335,7 +2335,7 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, int errcode = 0; char *end; struct cert_exts *cert_ext = &cert_exts[0]; /* default one, PEM */ - struct cert_key_and_chain *ckch; + struct ckch_data *data; struct buffer *buf; if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) @@ -2434,10 +2434,10 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, goto end; } - ckch = new_ckchs->ckch; + data = new_ckchs->data; /* appply the change on the duplicate */ - if (cert_ext->load(buf->area, payload, ckch, &err) != 0) { + if (cert_ext->load(buf->area, payload, data, &err) != 0) { memprintf(&err, "%sCan't load the payload\n", err ? err : ""); errcode |= ERR_ALERT | ERR_FATAL; goto end; diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index b5979bdf31..c532c01f60 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -1288,7 +1288,7 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc memprintf(&err, "certificate '%s' does not exist!", cert_path); goto error; } - if (store->ckch == NULL || store->ckch->cert == NULL) { + if (store->data == NULL || store->data->cert == NULL) { memprintf(&err, "certificate '%s' is empty!", cert_path); goto error; } @@ -1383,7 +1383,7 @@ static int cli_parse_del_crtlist(char **args, char *payload, struct appctx *appc memprintf(&err, "certificate '%s' does not exist!", cert_path); goto error; } - if (store->ckch == NULL || store->ckch->cert == NULL) { + if (store->data == NULL || store->data->cert == NULL) { memprintf(&err, "certificate '%s' is empty!", cert_path); goto error; } diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 5592a6b27a..0b8cfb8830 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1472,7 +1472,7 @@ static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is * successfully enabled, or -1 in other error case. */ -static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain) +static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain) { X509 *x, *issuer; OCSP_CERTID *cid = NULL; @@ -1487,11 +1487,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc #endif - x = ckch->cert; + x = data->cert; if (!x) goto out; - issuer = ckch->ocsp_issuer; + issuer = data->ocsp_issuer; /* take issuer from chain over ocsp_issuer, is what is done historicaly */ if (chain) { /* check if one of the certificate of the chain is the issuer */ @@ -1588,7 +1588,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc ret = 0; warn = NULL; - if (ssl_sock_load_ocsp_response(ckch->ocsp_response, iocsp, cid, &warn)) { + if (ssl_sock_load_ocsp_response(data->ocsp_response, iocsp, cid, &warn)) { memprintf(&warn, "Loading: %s. Content will be ignored", warn ? warn : "failure"); ha_warning("%s.\n", warn); } @@ -1608,7 +1608,7 @@ out: #endif #ifdef OPENSSL_IS_BORINGSSL -static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain) +static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain) { return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data); } @@ -3555,14 +3555,14 @@ struct eb_root crtlists_tree = EB_ROOT_UNIQUE; * the operation succeed. */ #ifndef OPENSSL_NO_DH -static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, +static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct ckch_data *data, const char *path, char **err) { int ret = 0; HASSL_DH *dh = NULL; - if (ckch && ckch->dh) { - dh = ckch->dh; + if (data && data->dh) { + dh = data->dh; if (!ssl_sock_set_tmp_dh(ctx, dh)) { memprintf(err, "%sunable to load the DH parameter specified in '%s'", err && *err ? *err : "", path); @@ -3621,7 +3621,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain #if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk); #else - ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL); + ssl_sock_set_tmp_dh_from_pkey(ctx, data ? data->key : NULL); #endif } } @@ -3642,7 +3642,7 @@ end: * The value 0 means there is no error nor warning and * the operation succeed. */ -static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_chain *ckch, +static int ssl_sock_load_cert_chain(const char *path, const struct ckch_data *data, SSL_CTX *ctx, STACK_OF(X509) **find_chain, char **err) { int errcode = 0; @@ -3655,7 +3655,7 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_ goto end; } - if (!SSL_CTX_use_certificate(ctx, ckch->cert)) { + if (!SSL_CTX_use_certificate(ctx, data->cert)) { ret = ERR_get_error(); memprintf(err, "%sunable to load SSL certificate into SSL Context '%s': %s.\n", err && *err ? *err : "", path, ERR_reason_error_string(ret)); @@ -3663,12 +3663,12 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_ goto end; } - if (ckch->chain) { - *find_chain = ckch->chain; + if (data->chain) { + *find_chain = data->chain; } else { /* Find Certificate Chain in global */ struct issuer_chain *issuer; - issuer = ssl_get0_issuer_chain(ckch->cert); + issuer = ssl_get0_issuer_chain(data->cert); if (issuer) *find_chain = issuer->chain; } @@ -3679,7 +3679,7 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_ *find_chain = sk_X509_new_null(); } - /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ + /* Load all certs in the data into the ctx_chain for the ssl_ctx */ #ifdef SSL_CTX_set1_chain if (!SSL_CTX_set1_chain(ctx, *find_chain)) { ret = ERR_get_error(); @@ -3730,14 +3730,14 @@ end: * The value 0 means there is no error nor warning and * the operation succeed. */ -static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err) +static int ssl_sock_put_ckch_into_ctx(const char *path, const struct ckch_data *data, SSL_CTX *ctx, char **err) { int errcode = 0; STACK_OF(X509) *find_chain = NULL; ERR_clear_error(); - if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) { + if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) { int ret; ret = ERR_get_error(); @@ -3748,7 +3748,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an } /* Load certificate chain */ - errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err); + errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err); if (errcode & ERR_CODE) goto end; @@ -3759,7 +3759,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL); } - errcode |= ssl_sock_load_dh_params(ctx, ckch, path, err); + errcode |= ssl_sock_load_dh_params(ctx, data, path, err); if (errcode & ERR_CODE) { memprintf(err, "%sunable to load DH parameters from file '%s'.\n", err && *err ? *err : "", path); @@ -3768,8 +3768,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an #endif #ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT - if (sctl_ex_index >= 0 && ckch->sctl) { - if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) { + if (sctl_ex_index >= 0 && data->sctl) { + if (ssl_sock_load_sctl(ctx, data->sctl) < 0) { memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", err && *err ? *err : "", path); errcode |= ERR_ALERT | ERR_FATAL; @@ -3780,8 +3780,8 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) /* Load OCSP Info into context */ - if (ckch->ocsp_response) { - if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) { + if (data->ocsp_response) { + if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) { memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n", err && *err ? *err : "", path); errcode |= ERR_ALERT | ERR_FATAL; @@ -3803,21 +3803,21 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an * The value 0 means there is no error nor warning and * the operation succeed. */ -static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, +static int ssl_sock_put_srv_ckch_into_ctx(const char *path, const struct ckch_data *data, SSL_CTX *ctx, char **err) { int errcode = 0; STACK_OF(X509) *find_chain = NULL; /* Load the private key */ - if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) { + if (SSL_CTX_use_PrivateKey(ctx, data->key) <= 0) { memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n", err && *err ? *err : "", path); errcode |= ERR_ALERT | ERR_FATAL; } /* Load certificate chain */ - errcode |= ssl_sock_load_cert_chain(path, ckch, ctx, &find_chain, err); + errcode |= ssl_sock_load_cert_chain(path, data, ctx, &find_chain, err); if (errcode & ERR_CODE) goto end; @@ -3853,16 +3853,16 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME STACK_OF(GENERAL_NAME) *names; #endif - struct cert_key_and_chain *ckch; + struct ckch_data *data; struct ckch_inst *ckch_inst = NULL; int errcode = 0; *ckchi = NULL; - if (!ckchs || !ckchs->ckch) + if (!ckchs || !ckchs->data) return ERR_FATAL; - ckch = ckchs->ckch; + data = ckchs->data; ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { @@ -3872,7 +3872,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct goto error; } - errcode |= ssl_sock_put_ckch_into_ctx(path, ckch, ctx, err); + errcode |= ssl_sock_put_ckch_into_ctx(path, data, ctx, err); if (errcode & ERR_CODE) goto error; @@ -3884,7 +3884,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct goto error; } - pkey = X509_get_pubkey(ckch->cert); + pkey = X509_get_pubkey(data->cert); if (pkey) { kinfo.bits = EVP_PKEY_bits(pkey); switch(EVP_PKEY_base_id(pkey)) { @@ -3913,7 +3913,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct } else { #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - names = X509_get_ext_d2i(ckch->cert, NID_subject_alt_name, NULL, NULL); + names = X509_get_ext_d2i(data->cert, NID_subject_alt_name, NULL, NULL); if (names) { for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i); @@ -3932,7 +3932,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */ - xname = X509_get_subject_name(ckch->cert); + xname = X509_get_subject_name(data->cert); i = -1; while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) { X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i); @@ -4014,16 +4014,16 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs, struct ckch_inst **ckchi, char **err) { SSL_CTX *ctx; - struct cert_key_and_chain *ckch; + struct ckch_data *data; struct ckch_inst *ckch_inst = NULL; int errcode = 0; *ckchi = NULL; - if (!ckchs || !ckchs->ckch) + if (!ckchs || !ckchs->data) return ERR_FATAL; - ckch = ckchs->ckch; + data = ckchs->data; ctx = SSL_CTX_new(SSLv23_client_method()); if (!ctx) { @@ -4033,7 +4033,7 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs, goto error; } - errcode |= ssl_sock_put_srv_ckch_into_ctx(path, ckch, ctx, err); + errcode |= ssl_sock_put_srv_ckch_into_ctx(path, data, ctx, err); if (errcode & ERR_CODE) goto error; @@ -5714,7 +5714,7 @@ int ssl_sock_load_ca(struct bind_conf *bind_conf) { struct proxy *px = bind_conf->frontend; - struct cert_key_and_chain *ckch = NULL; + struct ckch_data *data = NULL; int ret = 0; char *err = NULL; @@ -5737,15 +5737,15 @@ ssl_sock_load_ca(struct bind_conf *bind_conf) } /* Allocate cert structure */ - ckch = calloc(1, sizeof(*ckch)); - if (!ckch) { + data = calloc(1, sizeof(*data)); + if (!data) { ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain allocation failure\n", px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line); goto failed; } /* Try to parse file */ - if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, ckch, &err)) { + if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file, data, &err)) { ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain loading failed: %s\n", px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line, err); free(err); @@ -5753,20 +5753,20 @@ ssl_sock_load_ca(struct bind_conf *bind_conf) } /* Fail if missing cert or pkey */ - if ((!ckch->cert) || (!ckch->key)) { + if ((!data->cert) || (!data->key)) { ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d]. Chain missing certificate or private key\n", px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line); goto failed; } /* Final assignment to bind */ - bind_conf->ca_sign_ckch = ckch; + bind_conf->ca_sign_ckch = data; return ret; failed: - if (ckch) { - ssl_sock_free_cert_key_and_chain_contents(ckch); - free(ckch); + if (data) { + ssl_sock_free_cert_key_and_chain_contents(data); + free(data); } bind_conf->options &= ~BC_O_GENERATE_CERTS;