From: Amos Jeffries Date: Mon, 19 Dec 2011 03:51:22 +0000 (+1300) Subject: Cleanup: remove https_port_list type X-Git-Tag: BumpSslServerFirst.take05~12^2~111 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=859741ed0f2a586d218e2a1dd4d64eccaa750e06;p=thirdparty%2Fsquid.git Cleanup: remove https_port_list type * Complete the merger with http_port_list and remove the https-specific struct * kept config file type for parser magics and backward compatibility --- diff --git a/src/ProtoPort.cc b/src/ProtoPort.cc index d558751c99..f2e636a831 100644 --- a/src/ProtoPort.cc +++ b/src/ProtoPort.cc @@ -1,8 +1,4 @@ -/* - * $Id$ - */ - -#include "squid.h" +#include "config.h" #include "comm.h" #include "ProtoPort.h" #if HAVE_LIMITS @@ -11,9 +7,7 @@ http_port_list::http_port_list(const char *aProtocol) #if USE_SSL - : - http(*this), - dynamicCertMemCacheSize(std::numeric_limits::max()) + : dynamicCertMemCacheSize(std::numeric_limits::max()) #endif { protocol = xstrdup(aProtocol); @@ -42,12 +36,3 @@ http_port_list::~http_port_list() safe_free(sslContextSessionId); #endif } - - -#if USE_SSL - -https_port_list::https_port_list(): http_port_list("https") -{ -} - -#endif diff --git a/src/ProtoPort.h b/src/ProtoPort.h index d80fa00891..26720aad01 100644 --- a/src/ProtoPort.h +++ b/src/ProtoPort.h @@ -51,9 +51,6 @@ struct http_port_list { Comm::ConnectionPointer listenConn; #if USE_SSL - // XXX: temporary hack to ease move of SSL options to http_port - http_port_list &http; - char *cert; char *key; int version; @@ -78,13 +75,4 @@ struct http_port_list { CBDATA_CLASS2(http_port_list); }; - -#if USE_SSL - -struct https_port_list: public http_port_list { - https_port_list(); -}; - -#endif - #endif /* SQUID_PROTO_PORT_H */ diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 610ab87120..bacec750b8 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -189,17 +189,16 @@ static int check_null_IpAddress_list(const Ip::Address_list *); #endif /* CURRENTLY_UNUSED */ #endif /* USE_WCCPv2 */ -static void parse_http_port_list(http_port_list **); +static void parsePortList(http_port_list **, const char *protocol); +#define parse_http_port_list(l) parsePortList((l),"http") static void dump_http_port_list(StoreEntry *, const char *, const http_port_list *); static void free_http_port_list(http_port_list **); #if USE_SSL -static void parse_https_port_list(https_port_list **); -static void dump_https_port_list(StoreEntry *, const char *, const https_port_list *); -static void free_https_port_list(https_port_list **); -#if 0 -static int check_null_https_port_list(const https_port_list *); -#endif +#define parse_https_port_list(l) parsePortList((l),"https") +#define dump_https_port_list(e,n,l) dump_http_port_list((e),(n),(l)) +#define free_https_port_list(l) free_http_port_list((l)) +#define check_null_https_port_list(l) check_null_http_port_list((l)) #endif /* USE_SSL */ static void parse_b_size_t(size_t * var); @@ -904,7 +903,7 @@ configDoConfigure(void) if (!s->cert && !s->key) continue; - debugs(3, 1, "Initializing http_port " << s->http.s << " SSL context"); + debugs(3, 1, "Initializing http_port " << s->s << " SSL context"); s->staticSslContext.reset( sslCreateServerContext(s->cert, s->key, @@ -918,10 +917,10 @@ configDoConfigure(void) { - https_port_list *s; + http_port_list *s; - for (s = Config.Sockaddr.https; s != NULL; s = (https_port_list *) s->http.next) { - debugs(3, 1, "Initializing https_port " << s->http.s << " SSL context"); + for (s = Config.Sockaddr.https; s != NULL; s = s->next) { + debugs(3, 1, "Initializing https_port " << s->s << " SSL context"); s->staticSslContext.reset( sslCreateServerContext(s->cert, s->key, @@ -3518,7 +3517,7 @@ check_null_IpAddress_list(const Ip::Address_list * s) CBDATA_CLASS_INIT(http_port_list); static void -parse_http_port_specification(http_port_list * s, char *token) +parsePortSpecification(http_port_list * s, char *token) { char *host = NULL; unsigned short port = 0; @@ -3534,16 +3533,16 @@ parse_http_port_specification(http_port_list * s, char *token) host = token + 1; t = strchr(host, ']'); if (!t) { - debugs(3, 0, "http(s)_port: missing ']' on IPv6 address: " << token); + debugs(3, DBG_CRITICAL, s->protocol << "_port: missing ']' on IPv6 address: " << token); self_destruct(); } *t++ = '\0'; if (*t != ':') { - debugs(3, 0, "http(s)_port: missing Port in: " << token); + debugs(3, DBG_CRITICAL, s->protocol << "_port: missing Port in: " << token); self_destruct(); } if (!Ip::EnableIpv6) { - debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: IPv6 is not available."); + debugs(3, DBG_CRITICAL, "FATAL: " << s->protocol << "_port: IPv6 is not available."); self_destruct(); } port = xatos(t + 1); @@ -3556,14 +3555,14 @@ parse_http_port_specification(http_port_list * s, char *token) } else if ((port = strtol(token, &junk, 10)), !*junk) { /* port */ - debugs(3, 3, "http(s)_port: found Listen on Port: " << port); + debugs(3, 3, s->protocol << "_port: found Listen on Port: " << port); } else { - debugs(3, 0, "http(s)_port: missing Port: " << token); + debugs(3, DBG_CRITICAL, s->protocol << "_port: missing Port: " << token); self_destruct(); } - if (port == 0) { - debugs(3, 0, "http(s)_port: Port cannot be 0: " << token); + if (port == 0 && host != NULL) { + debugs(3, DBG_CRITICAL, s->protocol << "_port: Port cannot be 0: " << token); self_destruct(); } @@ -3572,21 +3571,21 @@ parse_http_port_specification(http_port_list * s, char *token) s->s.SetPort(port); if (!Ip::EnableIpv6) s->s.SetIPv4(); - debugs(3, 3, "http(s)_port: found Listen on wildcard address: *:" << s->s.GetPort() ); + debugs(3, 3, s->protocol << "_port: found Listen on wildcard address: *:" << s->s.GetPort() ); } else if ( (s->s = host) ) { /* check/parse numeric IPA */ s->s.SetPort(port); if (!Ip::EnableIpv6) s->s.SetIPv4(); - debugs(3, 3, "http(s)_port: Listen on Host/IP: " << host << " --> " << s->s); + debugs(3, 3, s->protocol << "_port: Listen on Host/IP: " << host << " --> " << s->s); } else if ( s->s.GetHostByName(host) ) { /* check/parse for FQDN */ /* dont use ipcache */ s->defaultsite = xstrdup(host); s->s.SetPort(port); if (!Ip::EnableIpv6) s->s.SetIPv4(); - debugs(3, 3, "http(s)_port: found Listen as Host " << s->defaultsite << " on IP: " << s->s); + debugs(3, 3, s->protocol << "_port: found Listen as Host " << s->defaultsite << " on IP: " << s->s); } else { - debugs(3, 0, "http(s)_port: failed to resolve Host/IP: " << host); + debugs(3, DBG_CRITICAL, s->protocol << "_port: failed to resolve Host/IP: " << host); self_destruct(); } } @@ -3790,18 +3789,11 @@ parse_http_port_option(http_port_list * s, char *token) } } -static http_port_list * -create_http_port(char *portspec) -{ - http_port_list *s = new http_port_list("http"); - parse_http_port_specification(s, portspec); - return s; -} - void add_http_port(char *portspec) { - http_port_list *s = create_http_port(portspec); + http_port_list *s = new http_port_list("http"); + parsePortSpecification(s, portspec); // we may need to merge better of the above returns a list with clones assert(s->next == NULL); s->next = Config.Sockaddr.http; @@ -3859,7 +3851,7 @@ clone_http_port_list(http_port_list *a) } static void -parse_http_port_list(http_port_list ** head) +parsePortList(http_port_list ** head, const char *protocol) { char *token = strtok(NULL, w_space); @@ -3868,7 +3860,8 @@ parse_http_port_list(http_port_list ** head) return; } - http_port_list *s = create_http_port(token); + http_port_list *s = new http_port_list(protocol); + parsePortSpecification(s, token); /* parse options ... */ while ((token = strtok(NULL, w_space))) { @@ -3879,7 +3872,7 @@ parse_http_port_list(http_port_list ** head) // clone the port options from *s to *(s->next) s->next = clone_http_port_list(s); s->next->s.SetIPv4(); - debugs(3, 3, "http(s)_port: clone wildcard address for split-stack: " << s->s << " and " << s->next->s); + debugs(3, 3, protocol << "_port: clone wildcard address for split-stack: " << s->s << " and " << s->next->s); } while (*head) @@ -4032,59 +4025,6 @@ free_http_port_list(http_port_list ** head) } } -#if USE_SSL - -// TODO: merge better with parse_http_port_list -static void -parse_https_port_list(https_port_list ** head) -{ - char *token; - https_port_list *s; - - token = strtok(NULL, w_space); - - if (!token) - self_destruct(); - - s = new https_port_list; - parse_http_port_specification(&s->http, token); - - /* parse options ... */ - while ((token = strtok(NULL, w_space))) { - parse_http_port_option(s, token); - } - - while (*head) { - http_port_list ** headTmp = &(*head)->http.next; - head = (https_port_list **)headTmp; - } - - *head = s; -} - -static void -dump_https_port_list(StoreEntry * e, const char *n, const https_port_list * s) -{ - dump_http_port_list(e, n, s); -} - -static void -free_https_port_list(https_port_list ** head) -{ - free_http_port_list((http_port_list**)head); -} - -#if 0 -static int -check_null_https_port_list(const https_port_list * s) -{ - return NULL == s; -} - -#endif - -#endif /* USE_SSL */ - void configFreeMemory(void) { diff --git a/src/cf.data.pre b/src/cf.data.pre index 13487eb7bc..eac6677394 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1363,6 +1363,28 @@ DOC_START SSL Bump Mode Options: + In addition to these options ssl-bump requires TLS/SSL options. + + generate-host-certificates[=] + Dynamically create SSL server certificates for the + destination hosts of bumped CONNECT requests.When + enabled, the cert and key options are used to sign + generated certificates. Otherwise generated + certificate will be selfsigned. + If there is a CA certificate lifetime of the generated + certificate equals lifetime of the CA certificate. If + generated certificate is selfsigned lifetime is three + years. + This option is enabled by default when ssl-bump is used. + See the ssl-bump option above for more information. + + dynamic_cert_mem_cache_size=SIZE + Approximate total RAM size spent on cached generated + certificates. If set to zero, caching is disabled. The + default value is 4MB. An average XXX-bit certificate + consumes about XXX bytes of RAM. + + TLS / SSL Options: cert= Path to SSL certificate (PEM format). @@ -1433,25 +1455,6 @@ DOC_START sslcontext= SSL session ID context identifier. - generate-host-certificates[=] - Dynamically create SSL server certificates for the - destination hosts of bumped CONNECT requests.When - enabled, the cert and key options are used to sign - generated certificates. Otherwise generated - certificate will be selfsigned. - If there is CA certificate life time of generated - certificate equals lifetime of CA certificate. If - generated certificate is selfsigned lifetime is three - years. - This option is enabled by default when SslBump is used. - See the sslBump option above for more information. - - dynamic_cert_mem_cache_size=SIZE - Approximate total RAM size spent on cached generated - certificates. If set to zero, caching is disabled. The - default value is 4MB. An average XXX-bit certificate - consumes about XXX bytes of RAM. - Other Options: connection-auth[=on|off] @@ -1504,90 +1507,16 @@ LOC: Config.Sockaddr.https DOC_START Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] - The socket address where Squid will listen for HTTPS client - requests. + The socket address where Squid will listen for client requests made + over TLS or SSL connections. Commonly referred to as HTTPS. - This is really only useful for situations where you are running - squid in accelerator mode and you want to do the SSL work at the - accelerator level. + This is most useful for situations where you are running squid in + accelerator mode and you want to do the SSL work at the accelerator level. You may specify multiple socket addresses on multiple lines, each with their own SSL certificate and/or options. - Modes: - - accel Accelerator / reverse proxy mode - - Omitting the mode flag causes default forward proxy mode to be used. - - - See http_port for a list of generic options - - - SSL Options: - - cert= Path to SSL certificate (PEM format). - - key= Path to SSL private key file (PEM format) - if not specified, the certificate file is - assumed to be a combined certificate and - key file. - - version= The version of SSL/TLS supported - 1 automatic (default) - 2 SSLv2 only - 3 SSLv3 only - 4 TLSv1 only - - cipher= Colon separated list of supported ciphers. - - options= Various SSL engine options. The most important - being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE Always create a new key when using - temporary/ephemeral DH key exchanges - See src/ssl_support.c or OpenSSL SSL_CTX_set_options - documentation for a complete list of options. - - clientca= File containing the list of CAs to use when - requesting a client certificate. - - cafile= File containing additional CA certificates to - use when verifying client certificates. If unset - clientca will be used. - - capath= Directory containing additional CA certificates - and CRL lists to use when verifying client certificates. - - crlfile= File of additional CRL lists to use when verifying - the client certificate, in addition to CRLs stored in - the capath. Implies VERIFY_CRL flag below. - - dhparams= File containing DH parameters for temporary/ephemeral - DH key exchanges. - - sslflags= Various flags modifying the use of SSL: - DELAYED_AUTH - Don't request client certificates - immediately, but wait until acl processing - requires a certificate (not yet implemented). - NO_DEFAULT_CA - Don't use the default CA lists built in - to OpenSSL. - NO_SESSION_REUSE - Don't allow for session reuse. Each connection - will result in a new SSL session. - VERIFY_CRL - Verify CRL lists when accepting client - certificates. - VERIFY_CRL_ALL - Verify CRL lists for all certificates in the - client certificate chain. - - sslcontext= SSL session ID context identifier. - + See http_port for a list of available options. DOC_END NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp diff --git a/src/client_side.cc b/src/client_side.cc index 230ecffe8c..6e146ac77e 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3438,7 +3438,7 @@ clientNegotiateSSL(int fd, void *data) static void httpsAccept(const CommAcceptCbParams ¶ms) { - https_port_list *s = (https_port_list *)params.data; + http_port_list *s = (http_port_list *)params.data; if (params.flag != COMM_OK) { // Its possible the call was still queued when the client disconnected @@ -3454,14 +3454,14 @@ httpsAccept(const CommAcceptCbParams ¶ms) debugs(33, 4, HERE << params.conn << " accepted, starting SSL negotiation."); fd_note(params.conn->fd, "client https connect"); - if (s->http.tcp_keepalive.enabled) { - commSetTcpKeepalive(params.conn->fd, s->http.tcp_keepalive.idle, s->http.tcp_keepalive.interval, s->http.tcp_keepalive.timeout); + if (s->tcp_keepalive.enabled) { + commSetTcpKeepalive(params.conn->fd, s->tcp_keepalive.idle, s->tcp_keepalive.interval, s->tcp_keepalive.timeout); } incoming_sockets_accepted++; // Socket is ready, setup the connection manager to start using it - ConnStateData *connState = connStateCreate(params.conn, &s->http); + ConnStateData *connState = connStateCreate(params.conn, s); typedef CommCbMemFunT TimeoutDialer; AsyncCall::Pointer timeoutCall = JobCallback(33, 5, @@ -3650,12 +3650,12 @@ clientHttpConnectionsOpen(void) #if USE_SSL if (s->sslBump && !Config.accessList.ssl_bump) { - debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << s->protocol << "_port " << s->http.s); + debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << s->protocol << "_port " << s->s); s->sslBump = 0; } if (s->sslBump && !s->staticSslContext && !s->generateHostCertificates) { - debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->http.s << " due to SSL initialization failure."); + debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure."); s->sslBump = 0; } if (s->sslBump) { @@ -3687,9 +3687,9 @@ clientHttpConnectionsOpen(void) static void clientHttpsConnectionsOpen(void) { - https_port_list *s; + http_port_list *s; - for (s = Config.Sockaddr.https; s; s = (https_port_list *)s->http.next) { + for (s = Config.Sockaddr.https; s; s = s->next) { if (MAXHTTPPORTS == NHttpSockets) { debugs(1, 1, "Ignoring 'https_port' lines exceeding the limit."); debugs(1, 1, "The limit is " << MAXHTTPPORTS << " HTTPS ports."); @@ -3697,16 +3697,16 @@ clientHttpsConnectionsOpen(void) } if (!s->staticSslContext) { - debugs(1, 1, "Ignoring https_port " << s->http.s << + debugs(1, 1, "Ignoring https_port " << s->s << " due to SSL initialization failure."); continue; } // Fill out a Comm::Connection which IPC will open as a listener for us - s->http.listenConn = new Comm::Connection; - s->http.listenConn->local = s->http.s; - s->http.listenConn->flags = COMM_NONBLOCKING | (s->http.spoof_client_ip ? COMM_TRANSPARENT : 0) | - (s->http.intercepted ? COMM_INTERCEPTION : 0); + s->listenConn = new Comm::Connection; + s->listenConn->local = s->s; + s->listenConn->flags = COMM_NONBLOCKING | (s->spoof_client_ip ? COMM_TRANSPARENT : 0) | + (s->intercepted ? COMM_INTERCEPTION : 0); // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS typedef CommCbFunPtrCallT AcceptCall; @@ -3715,7 +3715,7 @@ clientHttpsConnectionsOpen(void) AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened", ListeningStartedDialer(&clientListenerConnectionOpened, - &s->http, Ipc::fdnHttpsSocket, sub)); + s, Ipc::fdnHttpsSocket, sub)); Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall); HttpSockets[NHttpSockets++] = -1; } diff --git a/src/structs.h b/src/structs.h index 56a3c6433e..f677de8d01 100644 --- a/src/structs.h +++ b/src/structs.h @@ -144,6 +144,8 @@ struct relist { class CpuAffinityMap; class RemovalPolicySettings; class external_acl; +class Store; +struct http_port_list; class SwapDir; /// Used for boolean enabled/disabled options with complex default logic. @@ -245,8 +247,7 @@ struct SquidConfig { struct { http_port_list *http; #if USE_SSL - - https_port_list *https; + http_port_list *https; #endif } Sockaddr; diff --git a/src/tools.cc b/src/tools.cc index 4b7a0ad921..10231afd6d 100644 --- a/src/tools.cc +++ b/src/tools.cc @@ -610,7 +610,7 @@ getMyHostname(void) #if USE_SSL if (Config.Sockaddr.https && sa.IsAnyAddr()) - sa = Config.Sockaddr.https->http.s; + sa = Config.Sockaddr.https->s; #endif @@ -1269,7 +1269,7 @@ getMyPort(void) #if USE_SSL if (Config.Sockaddr.https) - return Config.Sockaddr.https->http.s.GetPort(); + return Config.Sockaddr.https->s.GetPort(); #endif debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured."); diff --git a/src/typedefs.h b/src/typedefs.h index 438ffc85f9..f7ba5b0051 100644 --- a/src/typedefs.h +++ b/src/typedefs.h @@ -47,9 +47,6 @@ typedef struct { size_t kb; } kb_t; -struct http_port_list; -struct https_port_list; - typedef struct _close_handler close_handler; typedef struct _dread_ctrl dread_ctrl;