From: Willy Tarreau Date: Wed, 4 May 2022 17:51:37 +0000 (+0200) Subject: CLEANUP: ssl/cli: use a local context for "show ssl cert" X-Git-Tag: v2.6-dev9~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96c9a6c752d9e521876471402650da13c765eba4;p=thirdparty%2Fhaproxy.git CLEANUP: ssl/cli: use a local context for "show ssl cert" This command only really uses old_ckchs, cur_ckchs and the index in which the transaction was stored. The new structure "show_cert_ctx" only has these 3 fields, and the now unused "cur_ckchs" and "index" could be removed from the shared ssl context. --- diff --git a/include/haproxy/applet-t.h b/include/haproxy/applet-t.h index e3a594a575..a0b4e9e34e 100644 --- a/include/haproxy/applet-t.h +++ b/include/haproxy/applet-t.h @@ -143,7 +143,6 @@ struct appctx { struct ckch_store *old_ckchs; struct ckch_store *new_ckchs; struct ckch_inst *next_ckchi; - struct ckch_store *cur_ckchs; struct ckch_inst_link *next_ckchi_link; struct cafile_entry *old_cafile_entry; @@ -152,7 +151,6 @@ struct appctx { struct cafile_entry *old_crlfile_entry; struct cafile_entry *new_crlfile_entry; int cafile_type; /* either CA or CRL, depending on the current command */ - int index; } ssl; struct { void *ptr; diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 47a17790ff..48127de592 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -77,6 +77,14 @@ struct show_crlfile_ctx { int index; }; +/* CLI context used by "show cert" */ +struct show_cert_ctx { + struct ckch_store *old_ckchs; + struct ckch_store *cur_ckchs; + int transaction; +}; + + /******************** cert_key_and_chain functions ************************* * These are the functions that fills a cert_key_and_chain structure. For the @@ -1247,10 +1255,11 @@ static void cli_release_show_cert(struct appctx *appctx) } /* IO handler of "show ssl cert ". - * It makes use of ctx.ssl.cur_ckchs, ctx.ssl.old_ckchs. + * It makes use of a show_cert_ctx context, and ckchs_transaction in read-only. */ static int cli_io_handler_show_cert(struct appctx *appctx) { + struct show_cert_ctx *ctx = appctx->svcctx; struct buffer *trash = alloc_trash_chunk(); struct ebmb_node *node; struct conn_stream *cs = appctx->owner; @@ -1259,7 +1268,7 @@ static int cli_io_handler_show_cert(struct appctx *appctx) if (trash == NULL) return 1; - if (!appctx->ctx.ssl.old_ckchs) { + if (!ctx->old_ckchs) { if (ckchs_transaction.old_ckchs) { ckchs = ckchs_transaction.old_ckchs; chunk_appendf(trash, "# transaction\n"); @@ -1267,11 +1276,11 @@ static int cli_io_handler_show_cert(struct appctx *appctx) } } - if (!appctx->ctx.ssl.cur_ckchs) { + if (!ctx->cur_ckchs) { chunk_appendf(trash, "# filename\n"); node = ebmb_first(&ckchs_tree); } else { - node = &((struct ckch_store *)appctx->ctx.ssl.cur_ckchs)->node; + node = &ctx->cur_ckchs->node; } while (node) { ckchs = ebmb_entry(node, struct ckch_store, node); @@ -1284,13 +1293,13 @@ static int cli_io_handler_show_cert(struct appctx *appctx) } } - appctx->ctx.ssl.cur_ckchs = NULL; + ctx->cur_ckchs = NULL; free_trash_chunk(trash); return 1; yield: free_trash_chunk(trash); - appctx->ctx.ssl.cur_ckchs = ckchs; + ctx->cur_ckchs = ckchs; return 0; /* should come back */ } @@ -1650,12 +1659,13 @@ static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buf /* IO handler of the details "show ssl cert ". - * It uses ctx.ssl.cur_ckchs. + * It uses a struct show_cert_ctx and ckchs_transaction in read-only. */ static int cli_io_handler_show_cert_detail(struct appctx *appctx) { + struct show_cert_ctx *ctx = appctx->svcctx; struct conn_stream *cs = appctx->owner; - struct ckch_store *ckchs = appctx->ctx.ssl.cur_ckchs; + struct ckch_store *ckchs = ctx->cur_ckchs; struct buffer *out = alloc_trash_chunk(); int retval = 0; @@ -1699,15 +1709,16 @@ yield: /* IO handler of the details "show ssl cert ". - * It uses ctx.ssl.cur_ckchs and ctx.ssl.index. + * It uses a show_cert_ctx. */ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx) { #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) + struct show_cert_ctx *ctx = appctx->svcctx; struct conn_stream *cs = appctx->owner; - struct ckch_store *ckchs = appctx->ctx.ssl.cur_ckchs; + struct ckch_store *ckchs = ctx->cur_ckchs; struct buffer *out = alloc_trash_chunk(); - int from_transaction = appctx->ctx.ssl.index; + int from_transaction = ctx->transaction; if (!out) goto end_no_putchk; @@ -1750,6 +1761,7 @@ yield: /* parsing function for 'show ssl cert [certfile]' */ static int cli_parse_show_cert(char **args, char *payload, struct appctx *appctx, void *private) { + struct show_cert_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); struct ckch_store *ckchs; if (!cli_has_level(appctx, ACCESS_LVL_OPER)) @@ -1790,10 +1802,10 @@ static int cli_parse_show_cert(char **args, char *payload, struct appctx *appctx } - appctx->ctx.ssl.cur_ckchs = ckchs; + ctx->cur_ckchs = ckchs; /* use the IO handler that shows details */ if (show_ocsp_detail) { - appctx->ctx.ssl.index = from_transaction; + ctx->transaction = from_transaction; appctx->io_handler = cli_io_handler_show_cert_ocsp_detail; } else