CLEANUP: ssl: Move ssl_store related code to ssl_ckch.c
This patch moves all the ssl_store related code to ssl_ckch.c since it
will mostly be used there once the CA file update CLI commands are all
implemented. It also makes the cafile_entry structure visible as well as
the cafile_tree.
diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index f5fd48f..2ea1ba2 100644
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -95,5 +95,16 @@
struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
};
+
+/*
+ * deduplicate cafile (and crlfile)
+ */
+struct cafile_entry {
+ X509_STORE *ca_store;
+ STACK_OF(X509_NAME) *ca_list;
+ struct ebmb_node node;
+ char path[0];
+};
+
#endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_CKCH_T_H */
diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 7d1b8ef..31cf3b5 100644
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -54,5 +54,9 @@
void ckch_deinit();
+/* ssl_store functions */
+X509_STORE* ssl_store_get0_locations_file(char *path);
+int ssl_store_load_locations_file(char *path, int create_if_none);
+
#endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_CRTLIST_H */
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index c68425a..a96a67b 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -36,6 +36,7 @@
extern int totalsslconns;
extern struct eb_root ckchs_tree;
extern struct eb_root crtlists_tree;
+extern struct eb_root cafile_tree;
extern int sctl_ex_index;
extern struct global_ssl global_ssl;
extern struct ssl_bind_kw ssl_bind_kws[];
@@ -120,7 +121,6 @@
void ssl_free_global_issuers(void);
int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
int ssl_init_single_engine(const char *engine_id, const char *def_algorithms);
-int ssl_store_load_locations_file(char *path, int create_if_none);
/* ssl shctx macro */
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index bf7bfc6..9242360 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -38,6 +38,7 @@
#include <haproxy/openssl-compat.h>
#include <haproxy/ssl_sock.h>
#include <haproxy/tools.h>
+#include <haproxy/ssl_ckch.h>
/****************** Global Section Parsing ********************************************/
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 6931d19..41bc7e1 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -921,6 +921,51 @@
return ckch_inst;
}
+
+/******************** ssl_store functions ******************************/
+struct eb_root cafile_tree = EB_ROOT_UNIQUE;
+
+X509_STORE* ssl_store_get0_locations_file(char *path)
+{
+ struct ebmb_node *eb;
+
+ eb = ebst_lookup(&cafile_tree, path);
+ if (eb) {
+ struct cafile_entry *ca_e;
+ ca_e = ebmb_entry(eb, struct cafile_entry, node);
+ return ca_e->ca_store;
+ }
+ return NULL;
+}
+
+int ssl_store_load_locations_file(char *path, int create_if_none)
+{
+ X509_STORE *store = ssl_store_get0_locations_file(path);
+
+ /* If this function is called by the CLI, we should not call the
+ * X509_STORE_load_locations function because it performs forbidden disk
+ * accesses. */
+ if (!store && create_if_none) {
+ struct cafile_entry *ca_e;
+ store = X509_STORE_new();
+ if (X509_STORE_load_locations(store, path, NULL)) {
+ int pathlen;
+ pathlen = strlen(path);
+ ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
+ if (ca_e) {
+ memcpy(ca_e->path, path, pathlen + 1);
+ ca_e->ca_store = store;
+ ebst_insert(&cafile_tree, &ca_e->node);
+ }
+ } else {
+ X509_STORE_free(store);
+ store = NULL;
+ }
+ }
+ return (store != NULL);
+}
+
+
/*************************** CLI commands ***********************/
/* Type of SSL payloads that can be updated over the CLI */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 58f0413..0fc3388 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -315,57 +315,6 @@
__decl_thread(HA_SPINLOCK_T ckch_lock);
-/*
- * deduplicate cafile (and crlfile)
- */
-struct cafile_entry {
- X509_STORE *ca_store;
- STACK_OF(X509_NAME) *ca_list;
- struct ebmb_node node;
- char path[0];
-};
-
-static struct eb_root cafile_tree = EB_ROOT_UNIQUE;
-
-static X509_STORE* ssl_store_get0_locations_file(char *path)
-{
- struct ebmb_node *eb;
-
- eb = ebst_lookup(&cafile_tree, path);
- if (eb) {
- struct cafile_entry *ca_e;
- ca_e = ebmb_entry(eb, struct cafile_entry, node);
- return ca_e->ca_store;
- }
- return NULL;
-}
-
-int ssl_store_load_locations_file(char *path, int create_if_none)
-{
- X509_STORE *store = ssl_store_get0_locations_file(path);
-
- /* If this function is called by the CLI, we should not call the
- * X509_STORE_load_locations function because it performs forbidden disk
- * accesses. */
- if (!store && create_if_none) {
- struct cafile_entry *ca_e;
- store = X509_STORE_new();
- if (X509_STORE_load_locations(store, path, NULL)) {
- int pathlen;
- pathlen = strlen(path);
- ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
- if (ca_e) {
- memcpy(ca_e->path, path, pathlen + 1);
- ca_e->ca_store = store;
- ebst_insert(&cafile_tree, &ca_e->node);
- }
- } else {
- X509_STORE_free(store);
- store = NULL;
- }
- }
- return (store != NULL);
-}
/* mimic what X509_STORE_load_locations do with store_ctx */
static int ssl_set_cert_crl_file(X509_STORE *store_ctx, char *path)