MINOR: Add 'conn' param to ssl_sock_chose_sni_ctx

This is only useful in the traces, the conn parameter won't be used
otherwise.

diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index 34d8d83b43f1b1a3fb606cdbbca32efc08f6919d..84e2ed552a0b4ef73d9846bac7fcaf491de0ddbc 100644 (file)
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -117,8 +117,8 @@ int ssl_sock_switchctx_wolfSSL_cbk(WOLFSSL* ssl, void* arg);
 
 int increment_sslconn();
 void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_conf);
-struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *servername,
-                                                             int have_rsa_sig, int have_ecdsa_sig);
+struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, struct connection *conn,
+                                       const char *servername, int have_rsa_sig, int have_ecdsa_sig);
 #ifdef SSL_MODE_ASYNC
 void ssl_async_fd_handler(int fd);
 void ssl_async_fd_free(int fd);

diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index eb8a0ee76ccda9d536392566de785a9081c99978..be94849c77c41160737f0354377aebd35b06ca0e 100644 (file)
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -36,14 +36,14 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
  *
  * This function does a lookup in the bind_conf sni tree so the caller should lock its tree.
  */
-struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *servername,
-                                                             int have_rsa_sig, int have_ecdsa_sig)
+struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, struct connection *conn,
+                                       const char *servername, int have_rsa_sig, int have_ecdsa_sig)
 {
        struct ebmb_node *node, *n, *node_ecdsa = NULL, *node_rsa = NULL, *node_anonymous = NULL;
        const char *wildp = NULL;
        int i;
 
-       TRACE_ENTER(SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername);
+       TRACE_ENTER(SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername);
 
        /* look for the first dot for wildcard search */
        for (i = 0; servername[i] != '\0'; i++) {
@@ -108,27 +108,27 @@ struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *serverna
         * RSA > DSA */
        if (have_ecdsa_sig && node_ecdsa) {
                node = node_ecdsa;
-               TRACE_STATE("ECDSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+               TRACE_STATE("ECDSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
        } else if (have_rsa_sig && node_rsa) {
                node = node_rsa;
-               TRACE_STATE("RSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+               TRACE_STATE("RSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
        } else if (node_anonymous) {
                node = node_anonymous;
-               TRACE_STATE("Anonymous node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+               TRACE_STATE("Anonymous node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
        } else if (node_ecdsa) {
                node = node_ecdsa;      /* no ecdsa signature case (< TLSv1.2) */
-               TRACE_STATE("ECDSA node picked (< TLSv1.2)", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+               TRACE_STATE("ECDSA node picked (< TLSv1.2)", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
        } else {
                node = node_rsa;        /* no rsa signature case (far far away) */
-               TRACE_STATE("RSA node picked (fallback)", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+               TRACE_STATE("RSA node picked (fallback)", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
        }
 
        if (node) {
-               TRACE_LEAVE(SSL_EV_CONN_CHOOSE_SNI_CTX);
+               TRACE_LEAVE(SSL_EV_CONN_CHOOSE_SNI_CTX, conn);
                return container_of(node, struct sni_ctx, name);
        }
 
-       TRACE_STATE("No SNI context found", SSL_EV_CONN_CHOOSE_SNI_CTX);
+       TRACE_STATE("No SNI context found", SSL_EV_CONN_CHOOSE_SNI_CTX, conn);
        return NULL;
 }
 
@@ -407,7 +407,7 @@ sni_lookup:
        trash.area[i] = 0;
 
        HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock);
-       sni_ctx = ssl_sock_chose_sni_ctx(s, trash.area, has_rsa_sig, has_ecdsa_sig);
+       sni_ctx = ssl_sock_chose_sni_ctx(s, conn, trash.area, has_rsa_sig, has_ecdsa_sig);
        if (sni_ctx) {
                /* switch ctx */
                struct ssl_bind_conf *conf = sni_ctx->conf;
@@ -701,7 +701,7 @@ sni_lookup:
        servername = trash.area;
 
        HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock);
-       sni_ctx = ssl_sock_chose_sni_ctx(s, servername, has_rsa_sig, has_ecdsa_sig);
+       sni_ctx = ssl_sock_chose_sni_ctx(s, conn, servername, has_rsa_sig, has_ecdsa_sig);
        if (sni_ctx) {
                /* switch ctx */
                struct ssl_bind_conf *conf = sni_ctx->conf;

diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c
index 9ab5f3371d5cbc793f64849336e5a7226962074f..551331644719c3b436a820b7075d4de724b9d63b 100644 (file)
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@@ -98,7 +98,7 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf
        int           key_type;
        struct sni_ctx *sni_ctx;
 
-       sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, "", 1, 1);
+       sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, NULL, "", 1, 1);
        if (!sni_ctx)
                goto mkcert_error;
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7d29d70eb19977e4ae1b1ea83f71d91cb24583e8..29c7df87411ba3cdfc88a7f8abd30c25cf3bb3e4 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4787,7 +4787,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
                struct sni_ctx *sni_ctx;
 
                /* if we use the generate-certificates option, look for the first default cert available */
-               sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, "", 1, 1);
+               sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, NULL, "", 1, 1);
                if (!sni_ctx) {
                        ha_alert("Proxy '%s': no SSL certificate specified for bind '%s' and 'generate-certificates' option at [%s:%d] (use 'crt').\n",
                                 px->id, bind_conf->arg, bind_conf->file, bind_conf->line);