Cleanup: make createStaticServerContext deal with ContextPointer

This method is about initializing the staticContext member of
ServerOptions. There is no need to involve the caller directly in those
logistics.

diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc
index dfcc2dd9de8c50ce8e9c0d9dc622e003b5209eae..6c0c3a7a26b2908e7eb324a61f76ff3b1758370e 100644 (file)
--- a/src/anyp/PortCfg.cc
+++ b/src/anyp/PortCfg.cc
@@ -143,8 +143,7 @@ AnyP::PortCfg::configureSslServerContext()
         }
     }
 
-    secure.staticContext.reset(secure.createStaticServerContext(*this));
-    if (!secure.staticContext) {
+    if (!secure.createStaticServerContext(*this)) {
         char buf[128];
         fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
     }

diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
index c6be66a8fc8fe0cd2a9428b1f4d6d431d9413106..955ad7dfe16c4d6032e66527b4c3085ddf09e835 100644 (file)
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -117,19 +117,21 @@ Security::ServerOptions::createBlankContext() const
     return t;
 }
 
-Security::ContextPtr
+bool
 Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &port)
 {
     updateTlsVersionLimits();
 
-    Security::ContextPtr t = createBlankContext();
+    Security::ContextPointer t(createBlankContext());
     if (t) {
 #if USE_OPENSSL
-        Ssl::InitServerContext(t, port);
+        if (!Ssl::InitServerContext(t, port))
+            return false;
 #endif
     }
 
-    return t;
+    staticContext = std::move(t);
+    return bool(staticContext);
 }
 
 void

diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h
index 530aa4ab36ebe8211e95732d0c0353773b680617..c679835f72360c925f0c203040ae7c93f455bd55 100644 (file)
--- a/src/security/ServerOptions.h
+++ b/src/security/ServerOptions.h
@@ -33,7 +33,9 @@ public:
     virtual void dumpCfg(Packable *, const char *pfx) const;
 
     /// generate a security server-context from these configured options
-    Security::ContextPtr createStaticServerContext(AnyP::PortCfg &);
+    /// the resulting context is stored in staticContext
+    /// \returns true if a context could be created
+    bool createStaticServerContext(AnyP::PortCfg &);
 
     /// update the context with DH, EDH, EECDH settings
     void updateContextEecdh(Security::ContextPtr &);

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 7f9e569ec5513420a0036cbd06bcbf0c5a9069d4..6c05f1babd2d0570014ad15be0c28c5804ec93cf 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -557,63 +557,57 @@ configureSslContext(Security::ContextPtr sslContext, AnyP::PortCfg &port)
 }
 
 bool
-Ssl::InitServerContext(Security::ContextPtr &sslContext, AnyP::PortCfg &port)
+Ssl::InitServerContext(const Security::ContextPointer &ctx, AnyP::PortCfg &port)
 {
-    if (!sslContext)
+    if (!ctx)
         return false;
 
-    if (!SSL_CTX_use_certificate(sslContext, port.signingCert.get())) {
+    if (!SSL_CTX_use_certificate(ctx.get(), port.signingCert.get())) {
         const int ssl_error = ERR_get_error();
         const auto &keys = port.secure.certs.front();
         debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS certificate '" << keys.certFile << "': " << ERR_error_string(ssl_error, NULL));
-        SSL_CTX_free(sslContext);
         return false;
     }
 
-    if (!SSL_CTX_use_PrivateKey(sslContext, port.signPkey.get())) {
+    if (!SSL_CTX_use_PrivateKey(ctx.get(), port.signPkey.get())) {
         const int ssl_error = ERR_get_error();
         const auto &keys = port.secure.certs.front();
         debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire TLS private key '" << keys.privateKeyFile << "': " << ERR_error_string(ssl_error, NULL));
-        SSL_CTX_free(sslContext);
         return false;
     }
 
-    Ssl::addChainToSslContext(sslContext, port.certsToChain.get());
+    Ssl::addChainToSslContext(ctx.get(), port.certsToChain.get());
 
     /* Alternate code;
         debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile);
 
-        if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
+        if (!SSL_CTX_use_certificate_chain_file(ctx.get(), certfile)) {
             ssl_error = ERR_get_error();
             debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL));
-            SSL_CTX_free(sslContext);
             return false;
         }
 
         debugs(83, DBG_IMPORTANT, "Using private key in " << keyfile);
-        ssl_ask_password(sslContext, keyfile);
+        ssl_ask_password(ctx.get(), keyfile);
 
-        if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) {
+        if (!SSL_CTX_use_PrivateKey_file(ctx.get(), keyfile, SSL_FILETYPE_PEM)) {
             ssl_error = ERR_get_error();
             debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL));
-            SSL_CTX_free(sslContext);
             return false;
         }
 
         debugs(83, 5, "Comparing private and public SSL keys.");
 
-        if (!SSL_CTX_check_private_key(sslContext)) {
+        if (!SSL_CTX_check_private_key(ctx.get())) {
             ssl_error = ERR_get_error();
             debugs(83, DBG_CRITICAL, "ERROR: SSL private key '" << certfile << "' does not match public key '" <<
                    keyfile << "': " << ERR_error_string(ssl_error, NULL));
-            SSL_CTX_free(sslContext);
             return false;
         }
     */
 
-    if (!configureSslContext(sslContext, port)) {
+    if (!configureSslContext(ctx.get(), port)) {
         debugs(83, DBG_CRITICAL, "ERROR: Configuring static SSL context");
-        SSL_CTX_free(sslContext);
         return false;
     }
 

diff --git a/src/ssl/support.h b/src/ssl/support.h
index 1c28d7f47f5c45cf15eb49e4f06e9e5140e821b4..0ef586762b48c2f7fdf656bb7e076d95efa985d9 100644 (file)
--- a/src/ssl/support.h
+++ b/src/ssl/support.h
@@ -112,7 +112,7 @@ extern Ipc::MemMap *SessionCache;
 extern const char *SessionCacheName;
 
 /// initialize a TLS server context with OpenSSL specific settings
-bool InitServerContext(Security::ContextPtr &, AnyP::PortCfg &);
+bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &);
 
 /// initialize a TLS client context with OpenSSL specific settings
 bool InitClientContext(Security::ContextPtr &, Security::PeerOptions &, long options, long flags);

diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc
index bc7c4d1b9bd868f8a2b31f67ffcd084745816559..ba40c5591a21eb4e2d1183f71be261c0efd0a639 100644 (file)
--- a/src/tests/stub_libsecurity.cc
+++ b/src/tests/stub_libsecurity.cc
@@ -34,7 +34,7 @@ void parse_securePeerOptions(Security::PeerOptions *) STUB
 void Security::ServerOptions::parse(const char *) STUB
 void Security::ServerOptions::dumpCfg(Packable *, const char *) const STUB
 Security::ContextPtr Security::ServerOptions::createBlankContext() const STUB
-Security::ContextPtr Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &) STUB_RETVAL(nullptr)
+bool Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &) STUB_RETVAL(false)
 void Security::ServerOptions::updateContextEecdh(Security::ContextPtr &) STUB
 
 #include "security/NegotiationHistory.h"

diff --git a/src/tests/stub_libsslsquid.cc b/src/tests/stub_libsslsquid.cc
index c622726eed6da255841bd56d61aad6fcd82b2e11..564dc3b53b20a910dc8a05f905d94eaf6d3cf2cf 100644 (file)
--- a/src/tests/stub_libsslsquid.cc
+++ b/src/tests/stub_libsslsquid.cc
@@ -55,7 +55,7 @@ namespace Ssl
 CertError & CertError::operator = (const CertError &old) STUB_RETVAL(*this)
 bool CertError::operator == (const CertError &ce) const STUB_RETVAL(false)
 bool CertError::operator != (const CertError &ce) const STUB_RETVAL(false)
-bool InitServerContext(Security::ContextPtr &, AnyP::PortCfg &) STUB_RETVAL(false)
+bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false)
 bool InitClientContext(Security::ContextPtr &, Security::PeerOptions &, long, const char *) STUB_RETVAL(false)
 } // namespace Ssl
 int ssl_read_method(int, char *, int) STUB_RETVAL(0)