From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 5 Dec 2015 04:45:43 +0000 (-0800)
Subject: Cleanup TLS: shuffle context creation to libsecurity
X-Git-Tag: SQUID_4_0_4~52
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=885f0ecf9b7d028ee78a680b25ecd73712ffe53c;p=thirdparty%2Fsquid.git

Cleanup TLS: shuffle context creation to libsecurity
---

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 44593adbeb..9c2975a2d8 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -192,7 +192,36 @@ Security::PeerOptions::updateTlsVersionLimits()
     }
 }
 
-// XXX: make a GnuTLS variant
+Security::ContextPtr
+Security::PeerOptions::createBlankContext() const
+{
+    Security::ContextPtr t = nullptr;
+
+#if USE_OPENSSL
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+    t = SSL_CTX_new(TLS_client_method());
+#else
+    t = SSL_CTX_new(SSLv23_client_method());
+#endif
+    if (!t) {
+        const auto x = ERR_error_string(ERR_get_error(), nullptr);
+        fatalf("Failed to allocate TLS client context: %s\n", x);
+    }
+
+#elif USE_GNUTLS
+    // Initialize for X.509 certificate exchange
+    if (const int x = gnutls_certificate_allocate_credentials(&t)) {
+        fatalf("Failed to allocate TLS client context: error=%d\n", x);
+    }
+
+#else
+    fatal("Failed to allocate TLS client context: No TLS library\n");
+
+#endif
+
+    return t;
+}
+
 Security::ContextPtr
 Security::PeerOptions::createClientContext(bool setOptions)
 {
@@ -204,6 +233,10 @@ Security::PeerOptions::createClientContext(bool setOptions)
     // XXX: temporary performance regression. c_str() data copies and prevents this being a const method
     t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslCipher.c_str(),
                                (setOptions ? parsedOptions : 0), parsedFlags);
+
+#elif USE_GNUTLS && WHEN_READY_FOR_GNUTLS
+    t = createBlankContext();
+
 #endif
 
     if (t) {
diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 3fcedf7180..266a832121 100644
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -32,6 +32,9 @@ public:
     /// reset the configuration details to default
     virtual void clear() {*this = PeerOptions();}
 
+    /// generate an unset security context object
+    virtual Security::ContextPtr createBlankContext() const;
+
     /// generate a security client-context from these configured options
     Security::ContextPtr createClientContext(bool setOptions);
 
diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
index d6fbe948f7..f943011742 100644
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -90,6 +90,36 @@ Security::ServerOptions::dumpCfg(Packable *p, const char *pfx) const
         p->appendf(" %sdh=" SQUIDSBUFPH, pfx, SQUIDSBUFPRINT(dh));
 }
 
+Security::ContextPtr
+Security::ServerOptions::createBlankContext() const
+{
+    Security::ContextPtr t = nullptr;
+
+#if USE_OPENSSL
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+    t = SSL_CTX_new(TLS_server_method());
+#else
+    t = SSL_CTX_new(SSLv23_server_method());
+#endif
+    if (!t) {
+        const auto x = ERR_error_string(ERR_get_error(), nullptr);
+        debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << x);
+    }
+
+#elif USE_GNUTLS
+    // Initialize for X.509 certificate exchange
+    if (const int x = gnutls_certificate_allocate_credentials(&t)) {
+        debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: error=" << x);
+    }
+
+#else
+    debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: No TLS library");
+
+#endif
+
+    return t;
+}
+
 void
 Security::ServerOptions::loadDhParams()
 {
diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h
index 2b38620600..1e69e38ef5 100644
--- a/src/security/ServerOptions.h
+++ b/src/security/ServerOptions.h
@@ -25,6 +25,7 @@ public:
     /* Security::PeerOptions API */
     virtual void parse(const char *);
     virtual void clear() {*this = ServerOptions();}
+    virtual Security::ContextPtr createBlankContext() const;
     virtual void dumpCfg(Packable *, const char *pfx) const;
 
     /// update the context with DH, EDH, EECDH settings
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 3ce6c43f72..223ce11a1f 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -562,17 +562,9 @@ sslCreateServerContext(AnyP::PortCfg &port)
 {
     ssl_initialize();
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
-    Security::ContextPtr sslContext(SSL_CTX_new(TLS_server_method()));
-#else
-    Security::ContextPtr sslContext(SSL_CTX_new(SSLv23_server_method()));
-#endif
-
-    if (sslContext == NULL) {
-        const int ssl_error = ERR_get_error();
-        debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate SSL context: " << ERR_error_string(ssl_error, NULL));
-        return NULL;
-    }
+    Security::ContextPtr sslContext(port.secure.createBlankContext());
+    if (!sslContext)
+        return nullptr;
 
     if (!SSL_CTX_use_certificate(sslContext, port.signingCert.get())) {
         const int ssl_error = ERR_get_error();