From: Amos Jeffries Date: Tue, 20 Sep 2016 12:41:25 +0000 (+1200) Subject: Cleanup: Security::ContextPtr removal, pt2 X-Git-Tag: SQUID_4_0_15~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=900daee3793dad09f34a697209fb8f6905fb4cf0;p=thirdparty%2Fsquid.git Cleanup: Security::ContextPtr removal, pt2 Make the ContextPointer for client TLS contexts extend out of libsecurity up the stack of callers to their main place of med/long-term storage. This means the code outside location where SSL contexts are created mostly no longer needs to worry about (non-)locking details. Just about using a smart Pointer properly. Since class SquidConfig is one of those places this involves linking pinger with openssl libraries. That is likely a bug to fix later. --- diff --git a/src/CachePeer.cc b/src/CachePeer.cc index 964948ad5b..0a4ccebfaa 100644 --- a/src/CachePeer.cc +++ b/src/CachePeer.cc @@ -40,9 +40,6 @@ CachePeer::CachePeer() : connect_fail_limit(0), max_conn(0), domain(NULL), -#if USE_OPENSSL - sslContext(NULL), -#endif front_end_https(0), connection_auth(2 /* auto */) { @@ -97,10 +94,5 @@ CachePeer::~CachePeer() PeerPoolMgr::Checkpoint(standby.mgr, "peer gone"); xfree(domain); - -#if USE_OPENSSL - if (sslContext) - SSL_CTX_free(sslContext); -#endif } diff --git a/src/CachePeer.h b/src/CachePeer.h index 67a6302ae3..8f951fe22d 100644 --- a/src/CachePeer.h +++ b/src/CachePeer.h @@ -183,7 +183,7 @@ public: /// security settings for peer connection Security::PeerOptions secure; - Security::ContextPtr sslContext; + Security::ContextPointer sslContext; Security::SessionStatePointer sslSession; int front_end_https; diff --git a/src/SquidConfig.h b/src/SquidConfig.h index 3ee1247898..90eacd6bb1 100644 --- a/src/SquidConfig.h +++ b/src/SquidConfig.h @@ -505,7 +505,7 @@ public: external_acl *externalAclHelperList; struct { - Security::ContextPtr sslContext; + Security::ContextPointer sslContext; #if USE_OPENSSL char *foreignIntermediateCertsPath; acl_access *cert_error; diff --git a/src/adaptation/icap/ServiceRep.cc b/src/adaptation/icap/ServiceRep.cc index 14996a7fa8..ef19473d11 100644 --- a/src/adaptation/icap/ServiceRep.cc +++ b/src/adaptation/icap/ServiceRep.cc @@ -33,7 +33,6 @@ CBDATA_NAMESPACED_CLASS_INIT(Adaptation::Icap, ServiceRep); Adaptation::Icap::ServiceRep::ServiceRep(const ServiceConfigPointer &svcCfg): AsyncJob("Adaptation::Icap::ServiceRep"), Adaptation::Service(svcCfg), - sslContext(NULL), theOptions(NULL), theOptionsFetcher(0), theLastUpdate(0), theBusyConns(0), theAllWaiters(0), diff --git a/src/adaptation/icap/ServiceRep.h b/src/adaptation/icap/ServiceRep.h index 579bfbd574..e8a0838e28 100644 --- a/src/adaptation/icap/ServiceRep.h +++ b/src/adaptation/icap/ServiceRep.h @@ -110,7 +110,7 @@ public: // treat these as private, they are for callbacks only // receive either an ICAP OPTIONS response header or an abort message virtual void noteAdaptationAnswer(const Answer &answer); - Security::ContextPtr sslContext; + Security::ContextPointer sslContext; Security::SessionStatePointer sslSession; private: diff --git a/src/adaptation/icap/Xaction.cc b/src/adaptation/icap/Xaction.cc index 74b03938e3..7b8ed668c4 100644 --- a/src/adaptation/icap/Xaction.cc +++ b/src/adaptation/icap/Xaction.cc @@ -64,7 +64,9 @@ public: /* Security::PeerConnector API */ virtual bool initialize(Security::SessionPointer &); virtual void noteNegotiationDone(ErrorState *error); - virtual Security::ContextPtr getSslContext() {return icapService->sslContext;} + virtual Security::ContextPtr getSslContext() { + return icapService->sslContext.get(); + } private: Adaptation::Icap::ServiceRep::Pointer icapService; diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 3a6a76a95e..7c094473e4 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -880,7 +880,7 @@ configDoConfigure(void) #endif } #if USE_OPENSSL - Ssl::useSquidUntrusted(Config.ssl_client.sslContext); + Ssl::useSquidUntrusted(Config.ssl_client.sslContext.get()); #endif } @@ -3903,8 +3903,8 @@ void configFreeMemory(void) { free_all(); + Config.ssl_client.sslContext.reset(); #if USE_OPENSSL - SSL_CTX_free(Config.ssl_client.sslContext); Ssl::unloadSquidUntrusted(); #endif } diff --git a/src/icmp/Makefile.am b/src/icmp/Makefile.am index 685ea87d83..b6cc6d2242 100644 --- a/src/icmp/Makefile.am +++ b/src/icmp/Makefile.am @@ -67,6 +67,7 @@ pinger_LDADD=\ $(top_builddir)/src/ip/libip.la \ $(top_builddir)/src/base/libbase.la \ $(COMPAT_LIB) \ + $(SSLLIB) \ $(XTRA_LIBS) CLEANFILES += $(COPIED_SOURCE) diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc index 578e0e18cd..136f5a23ee 100644 --- a/src/security/BlindPeerConnector.cc +++ b/src/security/BlindPeerConnector.cc @@ -24,10 +24,9 @@ Security::BlindPeerConnector::getSslContext() { if (const CachePeer *peer = serverConnection()->getPeer()) { assert(peer->secure.encryptTransport); - Security::ContextPtr sslContext(peer->sslContext); - return sslContext; + return peer->sslContext.get(); } - return ::Config.ssl_client.sslContext; + return ::Config.ssl_client.sslContext.get(); } bool diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index c0a9a18147..53247611f8 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -249,12 +249,12 @@ Security::PeerOptions::createBlankContext() const return ctx; } -Security::ContextPtr +Security::ContextPointer Security::PeerOptions::createClientContext(bool setOptions) { updateTlsVersionLimits(); - Security::ContextPointer t = createBlankContext(); + Security::ContextPointer t(createBlankContext()); if (t) { #if USE_OPENSSL // XXX: temporary performance regression. c_str() data copies and prevents this being a const method @@ -265,7 +265,7 @@ Security::PeerOptions::createClientContext(bool setOptions) updateContextCrl(t.get()); } - return t.release(); + return t; } /// set of options we can parse and what they map to diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index 5543355a89..bd9e2a7692 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -36,7 +36,7 @@ public: virtual Security::ContextPointer createBlankContext() const; /// generate a security client-context from these configured options - Security::ContextPtr createClientContext(bool setOptions); + Security::ContextPointer createClientContext(bool setOptions); /// sync the context options with tls-min-version=N configuration void updateTlsVersionLimits(); diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc index e866168206..2a8f985b22 100644 --- a/src/ssl/PeekingPeerConnector.cc +++ b/src/ssl/PeekingPeerConnector.cc @@ -129,8 +129,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess() const Security::ContextPtr Ssl::PeekingPeerConnector::getSslContext() { - // XXX: locate a per-server context in Security:: instead - return ::Config.ssl_client.sslContext; + return ::Config.ssl_client.sslContext.get(); } bool diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc index 4a84987832..0ec8d2262e 100644 --- a/src/tests/stub_libsecurity.cc +++ b/src/tests/stub_libsecurity.cc @@ -69,7 +69,7 @@ void PeerConnector::recordNegotiationDetails() STUB #include "security/PeerOptions.h" Security::PeerOptions Security::ProxyOutgoingConfig; void Security::PeerOptions::parse(char const*) STUB -Security::ContextPtr Security::PeerOptions::createClientContext(bool) STUB_RETVAL(NULL) +Security::ContextPointer Security::PeerOptions::createClientContext(bool) STUB_RETVAL(Security::ContextPointer()) void Security::PeerOptions::updateTlsVersionLimits() STUB Security::ContextPointer Security::PeerOptions::createBlankContext() const STUB_RETVAL(Security::ContextPointer()) void Security::PeerOptions::updateContextCa(Security::ContextPtr) STUB