mirror of
https://github.com/haproxy/haproxy.git
synced 2026-05-25 18:52:21 -04:00
2be6744189
In order for the code behind the "commit ssl cert" logic to be usable outside of the CLI context, some new "ckch_store_update_" functions are created. They allow to perform all the operations on ckch_stores to be performed without needing an appctx. The first function being called is ckch_store_update_init which mainly takes the ckch_store lock and checks that there is an ongoing transaction with the proper path (which was already done in cli_parse_commit_cert). The main one is ckch_store_update_process which replicates the logic that could be found in the cli_io_handler_commit_cert function. We iterate over the ckch instances of an existing ckch store and duplicate them in the new ckch store which is still detached from the tree, before replacing the old store with the new one. This whole operation could take some time so we were yielding every 10 instances or when applet_putstr calls would fail. The actual ckch_store operations and the applet related calls are now decorrelated in order to stop having to have an appctx during the ckch store/instances processing. The ckch_store_update_process will now update a "msg" buffer and a "state" that allow to send processing messages to the caller as well as keep the state of the processing "state machine". When the ckch_store_update_process loop is over, ckch_store_update_cleanup can be called to release the lock and free some now useless structures.
122 lines
7.2 KiB
C
122 lines
7.2 KiB
C
/*
|
|
* include/haproxy/ssl_ckch.h
|
|
* ckch function prototypes
|
|
*
|
|
* Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation, version 2.1
|
|
* exclusively.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#ifndef _HAPROXY_SSL_CKCH_H
|
|
#define _HAPROXY_SSL_CKCH_H
|
|
#ifdef USE_OPENSSL
|
|
|
|
#include <haproxy/ssl_ckch-t.h>
|
|
|
|
#include <haproxy/errors.h>
|
|
#include <haproxy/tools.h>
|
|
|
|
/* cert_key_and_chain functions */
|
|
|
|
int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, struct ckch_conf *conf, char **err);
|
|
int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *datackch , char **err);
|
|
void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data);
|
|
|
|
int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct ckch_data *data , char **err);
|
|
int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct ckch_data *data, char **err);
|
|
int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_data *data, char **err);
|
|
int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct ckch_data *data, char **err);
|
|
|
|
/* ckch_store functions */
|
|
struct ckch_store *ckch_store_new_load_files_path(char *path, char **err);
|
|
struct ckch_store *ckch_store_new_load_files_conf(char *name, struct ckch_conf *conf, const char *filename, int linenum, char **err);
|
|
struct ckch_store *ckchs_lookup(char *path);
|
|
struct ckch_store *ckchs_dup(const struct ckch_store *src);
|
|
struct ckch_store *ckch_store_new(const char *filename);
|
|
void ckch_store_free(struct ckch_store *store);
|
|
void ckch_store_replace(struct ckch_store *old_ckchs, struct ckch_store *new_ckchs);
|
|
int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, const char *file, int linenum, char **err);
|
|
int ckch_store_create(char *path, char **err);
|
|
int ckch_store_load_payload(char *path, char *payload, char **err);
|
|
int ckch_store_rebuild_instances(struct ckch_store *old_ckchs, struct ckch_store *new_ckchs,
|
|
struct ckch_inst **ckchi, int max, int *count, char **err);
|
|
|
|
int ckch_store_update_init(char *path, struct ckch_store **old_ckchs,
|
|
struct ckch_store **new_ckchs, char **err);
|
|
int ckch_store_update_process(struct ckch_store **old_ckchs, struct ckch_store **new_ckchs,
|
|
struct ckch_inst **ckchi, int *state,
|
|
struct buffer *msg, char **err);
|
|
void ckch_store_update_cleanup(struct ckch_store *new_ckchs);
|
|
|
|
/* ckch_conf functions */
|
|
|
|
int ckch_conf_parse(char **args, int cur_arg, struct ckch_conf *f, int *found, const char *file, int linenum, char **err);
|
|
void ckch_conf_clean(struct ckch_conf *conf);
|
|
int ckch_conf_cmp(struct ckch_conf *conf1, struct ckch_conf *conf2, char **err);
|
|
int ckch_conf_cmp_empty(struct ckch_conf *prev, char **err);
|
|
|
|
/* ckch_inst functions */
|
|
void ckch_inst_free(struct ckch_inst *inst);
|
|
struct ckch_inst *ckch_inst_new();
|
|
int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct bind_conf *bind_conf,
|
|
struct ssl_bind_conf *ssl_conf, char **sni_filter, int fcount, int is_default, struct ckch_inst **ckchi, char **err);
|
|
int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
|
|
struct ckch_inst **ckchi, char **err, int is_quic);
|
|
int ckch_inst_rebuild(struct ckch_store *ckch_store, struct ckch_inst *ckchi,
|
|
struct ckch_inst **new_inst, char **err);
|
|
|
|
void ckch_deinit();
|
|
void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bind_conf,
|
|
struct ssl_bind_conf *ssl_conf, const struct server *srv);
|
|
|
|
/* ssl_store functions */
|
|
struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry);
|
|
X509_STORE* ssl_store_get0_locations_file(char *path);
|
|
int ssl_store_add_uncommitted_cafile_entry(struct cafile_entry *entry);
|
|
struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type);
|
|
struct cafile_entry *ssl_store_dup_cafile_entry(struct cafile_entry *src);
|
|
void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
|
|
int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append);
|
|
int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
|
|
int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);
|
|
const char *ha_default_cert_dir();
|
|
|
|
extern struct cert_exts cert_exts[];
|
|
extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);
|
|
extern char current_crtstore_name[];
|
|
|
|
/*
|
|
* ckch_conf keywords loading
|
|
* The following macro allow to declare a wrapper on function that actually load files
|
|
*
|
|
*/
|
|
#define DECLARE_CKCH_CONF_LOAD(name, base, callback) \
|
|
static inline int ckch_conf_load_##name(void *value, char *buf, struct ckch_store *s, int cli, const char *filename, int linenum, char **err) \
|
|
{ \
|
|
char path[PATH_MAX]; \
|
|
int err_code = 0; \
|
|
struct ckch_data *d = s->data; \
|
|
if (cli) \
|
|
return 0; \
|
|
err_code |= path_base(value, (base), path, err); \
|
|
if (err_code & ERR_CODE) \
|
|
goto out; \
|
|
err_code |= (callback)(path, buf, d, err); \
|
|
out: \
|
|
return err_code; \
|
|
};
|
|
|
|
#endif /* USE_OPENSSL */
|
|
#endif /* _HAPROXY_SSL_CRTLIST_H */
|