Cleanup TLS: shuffle AnyP::PortCfg::staticSslContext into libsecurity

author Amos Jeffries <squid3@treenet.co.nz>

Fri, 4 Dec 2015 13:35:13 +0000 (05:35 -0800)

committer Amos Jeffries <squid3@treenet.co.nz>

Fri, 4 Dec 2015 13:35:13 +0000 (05:35 -0800)
author Amos Jeffries <squid3@treenet.co.nz>
Fri, 4 Dec 2015 13:35:13 +0000 (05:35 -0800)
committer Amos Jeffries <squid3@treenet.co.nz>
Fri, 4 Dec 2015 13:35:13 +0000 (05:35 -0800)
diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc

index a4430573fd811f10beeb9d8b6090c54e2489e737..ae3c677d612ee73239398836c4194f3a68645d12 100644 (file)
--- a/src/anyp/PortCfg.cc
+++ b/src/anyp/PortCfg.cc
@@ -46,7 +46,6 @@ AnyP::PortCfg::PortCfg() :
      sslContextSessionId(NULL),
      generateHostCertificates(false),
      dynamicCertMemCacheSize(std::numeric_limits<size_t>::max()),
-    staticSslContext(),
      signingCert(),
      signPkey(),
      certsToChain(),
@@ -143,12 +142,11 @@ AnyP::PortCfg::configureSslServerContext()
      }
  
      secure.updateTlsVersionLimits();
+    secure.staticContext.reset(sslCreateServerContext(*this));
  
-    staticSslContext.reset(sslCreateServerContext(*this));
-
-    if (!staticSslContext) {
+    if (!secure.staticContext) {
          char buf[128];
-        fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol],  s.toUrl(buf, sizeof(buf)));
+        fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
      }
  }
  #endif
diff --git a/src/anyp/PortCfg.h b/src/anyp/PortCfg.h

index dcdcc597e2425e4fbfe9263b890ab61e026c40d9..301e9656eafec340660b02e0504fa8c2ba7daa93 100644 (file)
--- a/src/anyp/PortCfg.h
+++ b/src/anyp/PortCfg.h
@@ -74,11 +74,10 @@ public:
  
  #if USE_OPENSSL
      char *clientca;
-    char *sslContextSessionId; ///< "session id context" for staticSslContext
+    char *sslContextSessionId; ///< "session id context" for secure.staticSslContext
      bool generateHostCertificates; ///< dynamically make host cert for sslBump
      size_t dynamicCertMemCacheSize; ///< max size of generated certificates memory cache
  
-    Security::ContextPointer staticSslContext; ///< for HTTPS accelerator or static sslBump
      Security::CertPointer signingCert; ///< x509 certificate for signing generated certificates
      Ssl::EVP_PKEY_Pointer signPkey; ///< private key for sighing generated certificates
      Ssl::X509_STACK_Pointer certsToChain; ///<  x509 certificates to send with the generated cert
diff --git a/src/client_side.cc b/src/client_side.cc

index 02894faf45f7c5569b59df4bf2af15405a0344de..f8ec73c15831aa4bcb84b7a11f425ebccb7fc5d6 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3542,8 +3542,7 @@ ConnStateData::postHttpsAccept()
          acl_checklist->nonBlockingCheck(httpsSslBumpAccessCheckDone, this);
          return;
      } else {
-        Security::ContextPtr sslContext = port->staticSslContext.get();
-        httpsEstablish(this, sslContext);
+        httpsEstablish(this, port->secure.staticContext.get());
      }
  }
  
@@ -3783,13 +3782,13 @@ ConnStateData::getSslContextDone(Security::ContextPtr sslContext, bool isNew)
  
      // If generated ssl context = NULL, try to use static ssl context.
      if (!sslContext) {
-        if (!port->staticSslContext) {
-            debugs(83, DBG_IMPORTANT, "Closing SSL " << clientConnection->remote << " as lacking SSL context");
+        if (!port->secure.staticContext) {
+            debugs(83, DBG_IMPORTANT, "Closing " << clientConnection->remote << " as lacking TLS context");
              clientConnection->close();
              return;
          } else {
-            debugs(33, 5, HERE << "Using static ssl context.");
-            sslContext = port->staticSslContext.get();
+            debugs(33, 5, "Using static TLS context.");
+            sslContext = port->secure.staticContext.get();
          }
      }
  
@@ -4139,7 +4138,7 @@ clientHttpConnectionsOpen(void)
                  debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s);
                  s->flags.tunnelSslBumping = false;
              }
-            if (!s->staticSslContext && !s->generateHostCertificates) {
+            if (!s->secure.staticContext && !s->generateHostCertificates) {
                  debugs(1, DBG_IMPORTANT, "Will not bump SSL at " << scheme << "_port " << s->s << " due to TLS initialization failure.");
                  s->flags.tunnelSslBumping = false;
                  if (s->transport.protocol == AnyP::PROTO_HTTP)
@@ -4152,7 +4151,7 @@ clientHttpConnectionsOpen(void)
              }
          }
  
-        if (s->secure.encryptTransport && !s->staticSslContext) {
+        if (s->secure.encryptTransport && !s->secure.staticContext) {
              debugs(1, DBG_CRITICAL, "ERROR: Ignoring " << scheme << "_port " << s->s << " due to TLS context initialization failure.");
              continue;
          }
diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h

index f4831bb51ef7af9a1a386a03426bfef147c71e77..2b3862060064cbfd32364f31aee18b8f4507bbe8 100644 (file)
--- a/src/security/ServerOptions.h
+++ b/src/security/ServerOptions.h
@@ -30,13 +30,15 @@ public:
      /// update the context with DH, EDH, EECDH settings
      void updateContextEecdh(Security::ContextPtr &);
  
+public:
+    /// TLS context to use for HTTPS accelerator or static SSL-Bump
+    Security::ContextPointer staticContext;
+
  private:
      void loadDhParams();
  
-//public:
-    SBuf dh;            ///< Diffi-Helman cipher config
-
  private:
+    SBuf dh;            ///< Diffi-Helman cipher config
      SBuf dhParamsFile;  ///< Diffi-Helman ciphers parameter file
      SBuf eecdhCurve;    ///< Elliptic curve for ephemeral EC-based DH key exchanges
  
diff --git a/src/ssl/support.cc b/src/ssl/support.cc

index 13e7e52c1992382ba1a9fb63af64c92f639ef677..3ce6c43f72e0267414962c58b3b6e55efe9bbb60 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1531,8 +1531,8 @@ Ssl::initialize_session_cache()
      }
  
      for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
-        if (s->staticSslContext.get() != NULL)
-            setSessionCallbacks(s->staticSslContext.get());
+        if (s->secure.staticContext.get())
+            setSessionCallbacks(s->secure.staticContext.get());
      }
  }
author	Amos Jeffries <squid3@treenet.co.nz>
	Fri, 4 Dec 2015 13:35:13 +0000 (05:35 -0800)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Fri, 4 Dec 2015 13:35:13 +0000 (05:35 -0800)
src/anyp/PortCfg.cc		patch \| blob \| blame \| history
src/anyp/PortCfg.h		patch \| blob \| blame \| history
src/client_side.cc		patch \| blob \| blame \| history
src/security/ServerOptions.h		patch \| blob \| blame \| history
src/ssl/support.cc		patch \| blob \| blame \| history