From: Willy Tarreau Date: Thu, 22 Dec 2016 16:08:28 +0000 (+0100) Subject: MEDIUM: ssl: remote the proxy argument from most functions X-Git-Tag: v1.8-dev1~208 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0320934f7e2de603a3de6416d4aa510f905e0347;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments. --- diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h index cb9a1e9863..119368a069 100644 --- a/include/proto/ssl_sock.h +++ b/include/proto/ssl_sock.h @@ -43,12 +43,12 @@ int ssl_sock_is_ssl(struct connection *conn) } int ssl_sock_handshake(struct connection *conn, unsigned int flag); -int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *proxy); -int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px); -int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *px); +int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx); +int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf); +int ssl_sock_prepare_srv_ctx(struct server *srv); void ssl_sock_free_srv_ctx(struct server *srv); void ssl_sock_free_all_ctx(struct bind_conf *bind_conf); -int ssl_sock_load_ca(struct bind_conf *bind_conf, struct proxy *px); +int ssl_sock_load_ca(struct bind_conf *bind_conf); void ssl_sock_free_ca(struct bind_conf *bind_conf); const char *ssl_sock_get_cipher_name(struct connection *conn); const char *ssl_sock_get_proto_version(struct connection *conn); diff --git a/src/cfgparse.c b/src/cfgparse.c index 7b5572f79e..c4c392f3ac 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -8289,7 +8289,7 @@ out_uri_auth_compat: #ifdef USE_OPENSSL if (newsrv->use_ssl || newsrv->check.use_ssl) - cfgerr += ssl_sock_prepare_srv_ctx(newsrv, curproxy); + cfgerr += ssl_sock_prepare_srv_ctx(newsrv); #endif /* USE_OPENSSL */ /* set the check type on the server */ @@ -8750,10 +8750,10 @@ out_uri_auth_compat: } /* initialize all certificate contexts */ - cfgerr += ssl_sock_prepare_all_ctx(bind_conf, curproxy); + cfgerr += ssl_sock_prepare_all_ctx(bind_conf); /* initialize CA variables if the certificates generation is enabled */ - cfgerr += ssl_sock_load_ca(bind_conf, curproxy); + cfgerr += ssl_sock_load_ca(bind_conf); } #endif /* USE_OPENSSL */ diff --git a/src/hlua.c b/src/hlua.c index f423c6da3c..2d1d41d66e 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -7698,7 +7698,7 @@ void hlua_init(void) } /* Initialize SSL server. */ - ssl_sock_prepare_srv_ctx(&socket_ssl, &socket_proxy); + ssl_sock_prepare_srv_ctx(&socket_ssl); #endif RESET_SAFE_LJMP(gL.T); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 617c00297a..6cb8d63ba8 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2030,7 +2030,7 @@ static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root * 0 on success * 1 on failure */ -static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err) +static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, char **sni_filter, int fcount, char **err) { char fp[MAXPATHLEN+1] = {0}; int n = 0; @@ -2238,7 +2238,7 @@ end: } #else /* This is a dummy, that just logs an error and returns error */ -static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err) +static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, char **sni_filter, int fcount, char **err) { memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n", err && *err ? *err : "", path, strerror(errno)); @@ -2352,7 +2352,7 @@ end: return ret; } -static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err) +static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, char **sni_filter, int fcount, char **err) { int ret; SSL_CTX *ctx; @@ -2440,7 +2440,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf return 0; } -int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **err) +int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err) { struct dirent **de_list; int i, n; @@ -2457,7 +2457,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu if (stat(path, &buf) == 0) { dir = opendir(path); if (!dir) - return ssl_sock_load_cert_file(path, bind_conf, curproxy, NULL, 0, err); + return ssl_sock_load_cert_file(path, bind_conf, NULL, 0, err); /* strip trailing slashes, including first one */ for (end = path + strlen(path) - 1; end >= path && *end == '/'; end--) @@ -2517,7 +2517,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu } snprintf(fp, sizeof(fp), "%s/%s", path, dp); - ssl_sock_load_multi_cert(fp, bind_conf, curproxy, NULL, 0, err); + ssl_sock_load_multi_cert(fp, bind_conf, NULL, 0, err); /* Successfully processed the bundle */ goto ignore_entry; @@ -2525,7 +2525,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu } #endif - cfgerr += ssl_sock_load_cert_file(fp, bind_conf, curproxy, NULL, 0, err); + cfgerr += ssl_sock_load_cert_file(fp, bind_conf, NULL, 0, err); ignore_entry: free(de); } @@ -2535,7 +2535,7 @@ ignore_entry: return cfgerr; } - cfgerr = ssl_sock_load_multi_cert(path, bind_conf, curproxy, NULL, 0, err); + cfgerr = ssl_sock_load_multi_cert(path, bind_conf, NULL, 0, err); return cfgerr; } @@ -2556,7 +2556,7 @@ static int ssl_initialize_random() return random_initialized; } -int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct proxy *curproxy, char **err) +int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, char **err) { char thisline[LINESIZE*CRTLIST_FACTOR]; FILE *f; @@ -2620,9 +2620,9 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct continue; if (stat(args[0], &buf) == 0) { - cfgerr = ssl_sock_load_cert_file(args[0], bind_conf, curproxy, &args[1], arg-1, err); + cfgerr = ssl_sock_load_cert_file(args[0], bind_conf, &args[1], arg-1, err); } else { - cfgerr = ssl_sock_load_multi_cert(args[0], bind_conf, curproxy, &args[1], arg-1, err); + cfgerr = ssl_sock_load_multi_cert(args[0], bind_conf, &args[1], arg-1, err); } if (cfgerr) { @@ -2670,8 +2670,9 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct #define SSL_MODE_SMALL_BUFFERS 0 #endif -int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *curproxy) +int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx) { + struct proxy *curproxy = bind_conf->frontend; int cfgerr = 0; int verify = SSL_VERIFY_NONE; long ssloptions = @@ -3022,8 +3023,9 @@ static int ssl_sock_srv_verifycbk(int ok, X509_STORE_CTX *ctx) } /* prepare ssl context from servers options. Returns an error count */ -int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) +int ssl_sock_prepare_srv_ctx(struct server *srv) { + struct proxy *curproxy = srv->proxy; int cfgerr = 0; long options = SSL_OP_ALL | /* all known workarounds for bugs */ @@ -3184,7 +3186,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) * be NULL, in which case nothing is done. Returns the number of errors * encountered. */ -int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) +int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf) { struct ebmb_node *node; struct sni_ctx *sni; @@ -3197,7 +3199,7 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) global.ssl_used_frontend = 1; if (bind_conf->default_ctx) - err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px); + err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx); node = ebmb_first(&bind_conf->sni_ctx); while (node) { @@ -3205,7 +3207,7 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) if (!sni->order && sni->ctx != bind_conf->default_ctx) /* only initialize the CTX on its first occurrence and if it is not the default_ctx */ - err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); + err += ssl_sock_prepare_ctx(bind_conf, sni->ctx); node = ebmb_next(node); } @@ -3215,7 +3217,7 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) if (!sni->order && sni->ctx != bind_conf->default_ctx) /* only initialize the CTX on its first occurrence and if it is not the default_ctx */ - err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); + err += ssl_sock_prepare_ctx(bind_conf, sni->ctx); node = ebmb_next(node); } return err; @@ -3267,8 +3269,9 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf) /* Load CA cert file and private key used to generate certificates */ int -ssl_sock_load_ca(struct bind_conf *bind_conf, struct proxy *px) +ssl_sock_load_ca(struct bind_conf *bind_conf) { + struct proxy *px = bind_conf->frontend; FILE *fp; X509 *cacert = NULL; EVP_PKEY *capkey = NULL; @@ -5196,13 +5199,13 @@ static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bin return ERR_ALERT | ERR_FATAL; } snprintf(path, sizeof(path), "%s/%s", global.crt_base, args[cur_arg + 1]); - if (ssl_sock_load_cert(path, conf, px, err) > 0) + if (ssl_sock_load_cert(path, conf, err) > 0) return ERR_ALERT | ERR_FATAL; return 0; } - if (ssl_sock_load_cert(args[cur_arg + 1], conf, px, err) > 0) + if (ssl_sock_load_cert(args[cur_arg + 1], conf, err) > 0) return ERR_ALERT | ERR_FATAL; return 0; @@ -5216,7 +5219,7 @@ static int bind_parse_crt_list(char **args, int cur_arg, struct proxy *px, struc return ERR_ALERT | ERR_FATAL; } - if (ssl_sock_load_cert_list_file(args[cur_arg + 1], conf, px, err) > 0) { + if (ssl_sock_load_cert_list_file(args[cur_arg + 1], conf, err) > 0) { memprintf(err, "'%s' : %s", args[cur_arg], *err); return ERR_ALERT | ERR_FATAL; }