mirror of
http://git.haproxy.org/git/haproxy.git
synced 2026-02-18 15:36:59 +02:00
MEDIUM: ssl: Chain ckch instances in ca-file entries
Each ca-file entry of the tree will now hold a list of the ckch instances that use it so that we can iterate over them when updating the ca-file via a cli command. Since the link between the SSL contexts and the CA file tree entries is only built during the ssl_sock_prepare_ctx function, which are called after all the ckch instances are created, we need to add a little post processing after each ssl_sock_prepare_ctx that builds the link between the corresponding ckch instance and CA file tree entries. In order to manage the ca-file and ca-verify-file options, any ckch instance can be linked to multiple CA file tree entries and any CA file entry can link multiple ckch instances. This is done thanks to a dedicated list of ckch_inst references stored in the CA file tree entries over which we can iterate (during an update for instance). We avoid having one of those instances go stale by keeping a list of references to those references in the instances. When deleting a ckch_inst, we can then remove all the ckch_inst_link instances that reference it, and when deleting a cafile_entry, we iterate over the list of ckch_inst reference and clear the corresponding entry in their own list of ckch_inst_link references.
This commit is contained in:
committed by
William Lallemand
parent
9f0c936057
commit
4458b9732d
@@ -75,6 +75,23 @@ struct ckch_store {
|
||||
struct ssl_bind_conf;
|
||||
struct crtlist_entry;
|
||||
|
||||
|
||||
/* Used to keep a list of all the instances using a specific cafile_entry.
|
||||
* It enables to link instances regardless of how they are using the CA file
|
||||
* (either via the ca-file, ca-verify-file or crl-file option). */
|
||||
struct ckch_inst_link {
|
||||
struct ckch_inst *ckch_inst;
|
||||
struct list list;
|
||||
};
|
||||
|
||||
/* Used to keep in a ckch instance a list of all the ckch_inst_link which
|
||||
* reference it. This way, when deleting a ckch_inst, we can ensure that no
|
||||
* dangling reference on it will remain. */
|
||||
struct ckch_inst_link_ref {
|
||||
struct ckch_inst_link *link;
|
||||
struct list list;
|
||||
};
|
||||
|
||||
/*
|
||||
* This structure describe a ckch instance. An instance is generated for each
|
||||
* bind_conf. The instance contains a linked list of the sni ctx which uses
|
||||
@@ -93,6 +110,7 @@ struct ckch_inst {
|
||||
struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
|
||||
struct list by_ckchs; /* chained in ckch_store's list of ckch_inst */
|
||||
struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
|
||||
struct list cafile_link_refs; /* list of ckch_inst_link pointing to this instance */
|
||||
};
|
||||
|
||||
|
||||
@@ -102,6 +120,7 @@ struct ckch_inst {
|
||||
struct cafile_entry {
|
||||
X509_STORE *ca_store;
|
||||
STACK_OF(X509_NAME) *ca_list;
|
||||
struct list ckch_inst_link; /* list of ckch_inst which use this CA file entry */
|
||||
struct ebmb_node node;
|
||||
char path[0];
|
||||
};
|
||||
|
||||
@@ -53,8 +53,11 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
|
||||
struct ckch_inst **ckchi, char **err);
|
||||
|
||||
void ckch_deinit();
|
||||
void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bind_conf,
|
||||
struct ssl_bind_conf *ssl_conf, const struct server *srv);
|
||||
|
||||
/* ssl_store functions */
|
||||
struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry);
|
||||
X509_STORE* ssl_store_get0_locations_file(char *path);
|
||||
int ssl_store_load_locations_file(char *path, int create_if_none);
|
||||
|
||||
|
||||
@@ -52,13 +52,14 @@ extern int ssl_keylog_index;
|
||||
extern struct pool_head *pool_head_ssl_keylog;
|
||||
extern struct pool_head *pool_head_ssl_keylog_str;
|
||||
|
||||
int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *, SSL_CTX *ctx, char **err);
|
||||
int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx);
|
||||
int ssl_sock_prep_ctx_and_inst(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
|
||||
SSL_CTX *ctx, struct ckch_inst *ckch_inst, char **err);
|
||||
int ssl_sock_prep_srv_ctx_and_inst(const struct server *srv, SSL_CTX *ctx,
|
||||
struct ckch_inst *ckch_inst);
|
||||
int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf);
|
||||
int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf);
|
||||
void ssl_sock_destroy_bind_conf(struct bind_conf *bind_conf);
|
||||
int ssl_sock_prepare_srv_ctx(struct server *srv);
|
||||
int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx);
|
||||
void ssl_sock_free_srv_ctx(struct server *srv);
|
||||
void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
|
||||
int ssl_sock_load_ca(struct bind_conf *bind_conf);
|
||||
|
||||
Reference in New Issue
Block a user