1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
/*
* include/haproxy/ssl_ckch-t.h
* ckch structures
*
* Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation, version 2.1
* exclusively.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/* The ckch (cert key and chain) structures are a group of structures used to
* cache and manipulate the certificates files loaded from the configuration
* file and the CLI Every certificate change made in a SSL_CTX should be done
* in these structures before being applied to a SSL_CTX.
*
* The complete architecture is described in doc/internals/ssl_cert.dia
*/
#ifndef _HAPROXY_SSL_CKCH_T_H
#define _HAPROXY_SSL_CKCH_T_H
#ifdef USE_OPENSSL
#include <import/ebtree-t.h>
#include <haproxy/buf-t.h>
#include <haproxy/openssl-compat.h>
/* This is used to preload the certificate, private key
* and Cert Chain of a file passed in via the crt
* argument
*
* This way, we do not have to read the file multiple times
*
* This structure is the base one, in the case of a multi-cert bundle, we
* allocate 1 structure per type.
*/
struct ckch_data {
X509 *cert;
EVP_PKEY *key;
STACK_OF(X509) *chain;
HASSL_DH *dh;
struct buffer *sctl;
struct buffer *ocsp_response;
X509 *ocsp_issuer;
OCSP_CERTID *ocsp_cid;
int ocsp_update_mode;
};
/*
* this is used to store 1 to SSL_SOCK_NUM_KEYTYPES cert_key_and_chain and
* metadata.
*
* "ckch" for cert, key and chain.
*
* XXX: Once we remove the multi-cert bundle support, we could merge this structure
* with the cert_key_and_chain one.
*/
struct ckch_store {
struct ckch_data *data;
struct list ckch_inst; /* list of ckch_inst which uses this ckch_node */
struct list crtlist_entry; /* list of entries which use this store */
struct ebmb_node node;
char path[VAR_ARRAY];
};
/* forward declarations for ckch_inst */
struct ssl_bind_conf;
struct crtlist_entry;
/* Used to keep a list of all the instances using a specific cafile_entry.
* It enables to link instances regardless of how they are using the CA file
* (either via the ca-file, ca-verify-file or crl-file option). */
struct ckch_inst_link {
struct ckch_inst *ckch_inst;
struct list list;
};
/* Used to keep in a ckch instance a list of all the ckch_inst_link which
* reference it. This way, when deleting a ckch_inst, we can ensure that no
* dangling reference on it will remain. */
struct ckch_inst_link_ref {
struct ckch_inst_link *link;
struct list list;
};
/*
* This structure describe a ckch instance. An instance is generated for each
* bind_conf. The instance contains a linked list of the sni ctx which uses
* the ckch in this bind_conf.
*/
struct ckch_inst {
struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */
struct server *server; /* pointer to the server if is_server_instance is set, NULL otherwise */
SSL_CTX *ctx; /* pointer to the SSL context used by this instance */
unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */
unsigned int is_server_instance:1; /* This instance is used by a backend server */
/* space for more flag there */
struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
struct list by_ckchs; /* chained in ckch_store's list of ckch_inst */
struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
struct list cafile_link_refs; /* list of ckch_inst_link pointing to this instance */
};
/* Option through which a cafile_entry was created, either
* ca-file/ca-verify-file or crl-file. */
enum cafile_type {
CAFILE_CERT,
CAFILE_CRL
};
/*
* deduplicate cafile (and crlfile)
*/
struct cafile_entry {
X509_STORE *ca_store;
STACK_OF(X509_NAME) *ca_list;
struct list ckch_inst_link; /* list of ckch_inst which use this CA file entry */
enum cafile_type type;
struct ebmb_node node;
char path[0];
};
enum {
CERT_TYPE_PEM = 0,
CERT_TYPE_KEY,
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
CERT_TYPE_OCSP,
#endif
CERT_TYPE_ISSUER,
#ifdef HAVE_SSL_SCTL
CERT_TYPE_SCTL,
#endif
CERT_TYPE_MAX,
};
struct cert_exts {
const char *ext;
int type;
int (*load)(const char *path, char *payload, struct ckch_data *data, char **err);
/* add a parsing callback */
};
#endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_CKCH_T_H */
|
