From: Remi Tricot-Le Breton Date: Fri, 18 Apr 2025 15:26:58 +0000 (+0200) Subject: MINOR: Add 'conn' param to ssl_sock_chose_sni_ctx X-Git-Tag: v3.2-dev13~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=047fb37b1989996e06623310d02034965f83e19a;p=thirdparty%2Fhaproxy.git MINOR: Add 'conn' param to ssl_sock_chose_sni_ctx This is only useful in the traces, the conn parameter won't be used otherwise. --- diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h index 34d8d83b4..84e2ed552 100644 --- a/include/haproxy/ssl_sock.h +++ b/include/haproxy/ssl_sock.h @@ -117,8 +117,8 @@ int ssl_sock_switchctx_wolfSSL_cbk(WOLFSSL* ssl, void* arg); int increment_sslconn(); void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_conf); -struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *servername, - int have_rsa_sig, int have_ecdsa_sig); +struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, struct connection *conn, + const char *servername, int have_rsa_sig, int have_ecdsa_sig); #ifdef SSL_MODE_ASYNC void ssl_async_fd_handler(int fd); void ssl_async_fd_free(int fd); diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c index eb8a0ee76..be94849c7 100644 --- a/src/ssl_clienthello.c +++ b/src/ssl_clienthello.c @@ -36,14 +36,14 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) * * This function does a lookup in the bind_conf sni tree so the caller should lock its tree. */ -struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *servername, - int have_rsa_sig, int have_ecdsa_sig) +struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, struct connection *conn, + const char *servername, int have_rsa_sig, int have_ecdsa_sig) { struct ebmb_node *node, *n, *node_ecdsa = NULL, *node_rsa = NULL, *node_anonymous = NULL; const char *wildp = NULL; int i; - TRACE_ENTER(SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername); + TRACE_ENTER(SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername); /* look for the first dot for wildcard search */ for (i = 0; servername[i] != '\0'; i++) { @@ -108,27 +108,27 @@ struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *serverna * RSA > DSA */ if (have_ecdsa_sig && node_ecdsa) { node = node_ecdsa; - TRACE_STATE("ECDSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node); + TRACE_STATE("ECDSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node); } else if (have_rsa_sig && node_rsa) { node = node_rsa; - TRACE_STATE("RSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node); + TRACE_STATE("RSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node); } else if (node_anonymous) { node = node_anonymous; - TRACE_STATE("Anonymous node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node); + TRACE_STATE("Anonymous node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node); } else if (node_ecdsa) { node = node_ecdsa; /* no ecdsa signature case (< TLSv1.2) */ - TRACE_STATE("ECDSA node picked (< TLSv1.2)", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node); + TRACE_STATE("ECDSA node picked (< TLSv1.2)", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node); } else { node = node_rsa; /* no rsa signature case (far far away) */ - TRACE_STATE("RSA node picked (fallback)", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node); + TRACE_STATE("RSA node picked (fallback)", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node); } if (node) { - TRACE_LEAVE(SSL_EV_CONN_CHOOSE_SNI_CTX); + TRACE_LEAVE(SSL_EV_CONN_CHOOSE_SNI_CTX, conn); return container_of(node, struct sni_ctx, name); } - TRACE_STATE("No SNI context found", SSL_EV_CONN_CHOOSE_SNI_CTX); + TRACE_STATE("No SNI context found", SSL_EV_CONN_CHOOSE_SNI_CTX, conn); return NULL; } @@ -407,7 +407,7 @@ sni_lookup: trash.area[i] = 0; HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); - sni_ctx = ssl_sock_chose_sni_ctx(s, trash.area, has_rsa_sig, has_ecdsa_sig); + sni_ctx = ssl_sock_chose_sni_ctx(s, conn, trash.area, has_rsa_sig, has_ecdsa_sig); if (sni_ctx) { /* switch ctx */ struct ssl_bind_conf *conf = sni_ctx->conf; @@ -701,7 +701,7 @@ sni_lookup: servername = trash.area; HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); - sni_ctx = ssl_sock_chose_sni_ctx(s, servername, has_rsa_sig, has_ecdsa_sig); + sni_ctx = ssl_sock_chose_sni_ctx(s, conn, servername, has_rsa_sig, has_ecdsa_sig); if (sni_ctx) { /* switch ctx */ struct ssl_bind_conf *conf = sni_ctx->conf; diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index 9ab5f3371..551331644 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -98,7 +98,7 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf int key_type; struct sni_ctx *sni_ctx; - sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, "", 1, 1); + sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, NULL, "", 1, 1); if (!sni_ctx) goto mkcert_error; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7d29d70eb..29c7df874 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4787,7 +4787,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf) struct sni_ctx *sni_ctx; /* if we use the generate-certificates option, look for the first default cert available */ - sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, "", 1, 1); + sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, NULL, "", 1, 1); if (!sni_ctx) { ha_alert("Proxy '%s': no SSL certificate specified for bind '%s' and 'generate-certificates' option at [%s:%d] (use 'crt').\n", px->id, bind_conf->arg, bind_conf->file, bind_conf->line);