*/
int listener_accept(int fd);
-/* allocate an ssl_conf struct for a bind line, and chain it to list head <lh>.
+/* allocate an bind_conf struct for a bind line, and chain it to list head <lh>.
* If <arg> is not NULL, it is duplicated into ->arg to store useful config
* information for error reporting.
*/
-static inline struct ssl_conf *ssl_conf_alloc(struct list *lh, const char *file, int line, const char *arg)
+static inline struct bind_conf *bind_conf_alloc(struct list *lh, const char *file, int line, const char *arg)
{
- struct ssl_conf *ssl_conf = (void *)calloc(1, sizeof(struct ssl_conf));
+ struct bind_conf *bind_conf = (void *)calloc(1, sizeof(struct bind_conf));
- ssl_conf->file = strdup(file);
- ssl_conf->line = line;
+ bind_conf->file = strdup(file);
+ bind_conf->line = line;
if (lh)
- LIST_ADDQ(lh, &ssl_conf->by_fe);
+ LIST_ADDQ(lh, &bind_conf->by_fe);
if (arg)
- ssl_conf->arg = strdup(arg);
- return ssl_conf;
+ bind_conf->arg = strdup(arg);
+ return bind_conf;
}
#endif /* _PROTO_LISTENER_H */
extern struct data_ops ssl_sock;
int ssl_sock_handshake(struct connection *conn, unsigned int flag);
-int ssl_sock_load_cert(char *path, struct ssl_conf *ssl_conf, struct proxy *proxy);
-int ssl_sock_prepare_ctx(struct ssl_conf *ssl_conf, SSL_CTX *ctx, struct proxy *proxy);
-void ssl_sock_free_certs(struct ssl_conf *ssl_conf);
-int ssl_sock_prepare_all_ctx(struct ssl_conf *ssl_conf, struct proxy *px);
-void ssl_sock_free_all_ctx(struct ssl_conf *ssl_conf);
+int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *proxy);
+int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *proxy);
+void ssl_sock_free_certs(struct bind_conf *bind_conf);
+int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px);
+void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
#endif /* _PROTO_SSL_SOCK_H */
* maxconn setting to the global.maxsock value so that its resources are reserved.
*/
-/* "bind" line SSL settings */
-struct ssl_conf {
+/* "bind" line settings */
+struct bind_conf {
#ifdef USE_OPENSSL
char *ciphers; /* cipher suite to use if non-null */
int nosslv3; /* disable SSLv3 */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */
#endif
- int ref_cnt; /* number of users of this config, maybe 0 on error */
+ int is_ssl; /* SSL is required for these listeners */
struct list by_fe; /* next binding for the same frontend, or NULL */
char *arg; /* argument passed to "bind" for better error reporting */
char *file; /* file where the section appears */
char *interface; /* interface name or NULL */
int maxseg; /* for TCP, advertised MSS */
- struct ssl_conf *ssl_conf; /* SSL settings, otherwise NULL */
+ struct bind_conf *bind_conf; /* "bind" line settings, include SSL settings among other things */
/* warning: this struct is huge, keep it at the bottom */
struct sockaddr_storage addr; /* the address we listen to */
struct eb32_node id; /* place in the tree of used IDs */
struct eb_root used_listener_id;/* list of listener IDs in use */
struct eb_root used_server_id; /* list of server IDs in use */
- struct list ssl_bind; /* list of SSL bind settings */
+ struct list bind; /* list of bind settings */
} conf; /* config information */
void *parent; /* parent of the proxy when applicable */
};
struct acl_cond *cond = NULL;
struct logsrv *tmplogsrv;
char *errmsg = NULL;
- struct ssl_conf *ssl_conf;
+ struct bind_conf *bind_conf;
if (!strcmp(args[0], "listen"))
rc = PR_CAP_LISTEN;
}
last_listen = curproxy->listen;
- ssl_conf = NULL;
+ bind_conf = bind_conf_alloc(&curproxy->conf.bind, file, linenum, args[1]);
/* NOTE: the following line might create several listeners if there
* are comma-separated IPs or port ranges. So all further processing
while (new_listen != last_listen) {
new_listen->conf.file = file;
new_listen->conf.line = linenum;
+ new_listen->bind_conf = bind_conf;
new_listen = new_listen->next;
global.maxsock++;
}
if (!strcmp(args[cur_arg], "ssl")) { /* use ssl */
#ifdef USE_OPENSSL
- struct listener *l;
-
- if (!ssl_conf)
- ssl_conf = ssl_conf_alloc(&curproxy->conf.ssl_bind, file, linenum, args[1]);
-
- for (l = curproxy->listen; l != last_listen; l = l->next) {
- if (!l->ssl_conf) {
- l->ssl_conf = ssl_conf;
- ssl_conf->ref_cnt++;
- }
- }
-
+ bind_conf->is_ssl = 1;
cur_arg += 1;
continue;
#else
goto out;
}
- if (!ssl_conf)
- ssl_conf = ssl_conf_alloc(&curproxy->conf.ssl_bind, file, linenum, args[1]);
-
- if (ssl_sock_load_cert(args[cur_arg + 1], ssl_conf, curproxy) > 0) {
+ if (ssl_sock_load_cert(args[cur_arg + 1], bind_conf, curproxy) > 0) {
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
goto out;
}
- if (!ssl_conf)
- ssl_conf = ssl_conf_alloc(&curproxy->conf.ssl_bind, file, linenum, args[1]);
- ssl_conf->ciphers = strdup(args[cur_arg + 1]);
-
+ bind_conf->ciphers = strdup(args[cur_arg + 1]);
cur_arg += 2;
continue;
#else
if (!strcmp(args[cur_arg], "nosslv3")) { /* disable SSLv3 */
#ifdef USE_OPENSSL
- if (!ssl_conf)
- ssl_conf = ssl_conf_alloc(&curproxy->conf.ssl_bind, file, linenum, args[1]);
- ssl_conf->nosslv3 = 1;
-
+ bind_conf->nosslv3 = 1;
cur_arg += 1;
continue;
#else
if (!strcmp(args[cur_arg], "notlsv1")) { /* disable TLSv1 */
#ifdef USE_OPENSSL
- if (!ssl_conf)
- ssl_conf = ssl_conf_alloc(&curproxy->conf.ssl_bind, file, linenum, args[1]);
- ssl_conf->notlsv1 = 1;
-
+ bind_conf->notlsv1 = 1;
cur_arg += 1;
continue;
#else
if (!strcmp(args[cur_arg], "prefer-server-ciphers")) { /* Prefert server ciphers */
#if defined (USE_OPENSSL) && defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
- if (!ssl_conf)
- ssl_conf = ssl_conf_alloc(&curproxy->conf.ssl_bind, file, linenum, args[1]);
- ssl_conf->prefer_server_ciphers = 1;
-
+ bind_conf->prefer_server_ciphers = 1;
cur_arg += 1;
continue;
#else
struct userlist *curuserlist = NULL;
int err_code = 0;
unsigned int next_pxid = 1;
- struct ssl_conf *ssl_conf, *ssl_back;
+ struct bind_conf *bind_conf;
- ssl_back = ssl_conf = NULL;
+ bind_conf = NULL;
/*
* Now, check for the integrity of all that we have collected.
*/
curproxy->listen = next;
}
-#ifdef USE_OPENSSL
/* Configure SSL for each bind line.
* Note: if configuration fails at some point, the ->ctx member
* remains NULL so that listeners can later detach.
*/
- list_for_each_entry(ssl_conf, &curproxy->conf.ssl_bind, by_fe) {
- if (!ssl_conf->default_ctx) {
+ list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
+ if (!bind_conf->is_ssl)
+ continue;
+#ifdef USE_OPENSSL
+ if (!bind_conf->default_ctx) {
Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
- curproxy->id, ssl_conf->arg, ssl_conf->file, ssl_conf->line);
+ curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
continue;
}
}
/* initialize all certificate contexts */
- cfgerr += ssl_sock_prepare_all_ctx(ssl_conf, curproxy);
- }
+ cfgerr += ssl_sock_prepare_all_ctx(bind_conf, curproxy);
#endif /* USE_OPENSSL */
+ }
/* adjust this proxy's listeners */
next_id = 1;
}
}
#ifdef USE_OPENSSL
- if (listener->ssl_conf) {
- if (listener->ssl_conf->default_ctx) {
- listener->data = &ssl_sock; /* SSL data layer */
- }
- else {
- listener->ssl_conf->ref_cnt--;
- listener->ssl_conf = NULL;
- }
- }
+ if (listener->bind_conf->is_ssl && listener->bind_conf->default_ctx)
+ listener->data = &ssl_sock; /* SSL data layer */
#endif
if (curproxy->options & PR_O_TCP_NOLING)
listener->options |= LI_O_NOLINGER;
/* smart accept mode is automatic in HTTP mode */
if ((curproxy->options2 & PR_O2_SMARTACC) ||
- ((curproxy->mode == PR_MODE_HTTP || listener->ssl_conf) &&
+ ((curproxy->mode == PR_MODE_HTTP || listener->bind_conf->is_ssl) &&
!(curproxy->no_options2 & PR_O2_SMARTACC)))
listener->options |= LI_O_NOQUICKACK;
listener = listener->next;
}
-#ifdef USE_OPENSSL
- /* Release unused SSL configs.
- */
- list_for_each_entry_safe(ssl_conf, ssl_back, &curproxy->conf.ssl_bind, by_fe) {
- if (ssl_conf->ref_cnt)
+ /* Release unused SSL configs */
+ list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
+ if (bind_conf->is_ssl)
continue;
-
- ssl_sock_free_all_ctx(ssl_conf);
- free(ssl_conf->ciphers);
- free(ssl_conf->file);
- free(ssl_conf->arg);
- LIST_DEL(&ssl_conf->by_fe);
- free(ssl_conf);
- }
+#ifdef USE_OPENSSL
+ ssl_sock_free_all_ctx(bind_conf);
+ free(bind_conf->ciphers);
#endif /* USE_OPENSSL */
+ }
/* Check multi-process mode compatibility for the current proxy */
if (global.nbproc > 1) {
struct uri_auth *uap, *ua = NULL;
struct logsrv *log, *logb;
struct logformat_node *lf, *lfb;
- struct ssl_conf *ssl_conf, *ssl_back;
+ struct bind_conf *bind_conf, *bind_back;
int i;
deinit_signals();
l_next = l->next;
unbind_listener(l);
delete_listener(l);
- if (l->ssl_conf) {
- l->ssl_conf->ref_cnt--;
- l->ssl_conf = NULL;
- }
+ l->bind_conf = NULL;
free(l->name);
free(l->counters);
free(l);
l = l_next;
}/* end while(l) */
- ssl_back = ssl_conf = NULL;
-#ifdef USE_OPENSSL
+ bind_back = bind_conf = NULL;
/* Release unused SSL configs.
*/
- list_for_each_entry_safe(ssl_conf, ssl_back, &p->conf.ssl_bind, by_fe) {
- ssl_sock_free_all_ctx(ssl_conf);
- free(ssl_conf->ciphers);
- free(ssl_conf->file);
- free(ssl_conf->arg);
- LIST_DEL(&ssl_conf->by_fe);
- free(ssl_conf);
- }
+ list_for_each_entry_safe(bind_conf, bind_back, &p->conf.bind, by_fe) {
+#ifdef USE_OPENSSL
+ ssl_sock_free_all_ctx(bind_conf);
+ free(bind_conf->ciphers);
#endif /* USE_OPENSSL */
+ free(bind_conf->file);
+ free(bind_conf->arg);
+ LIST_DEL(&bind_conf->by_fe);
+ free(bind_conf);
+ }
free(p->desc);
free(p->fwdfor_hdr_name);
LIST_INIT(&p->logsrvs);
LIST_INIT(&p->logformat);
LIST_INIT(&p->format_unique_id);
- LIST_INIT(&p->conf.ssl_bind);
+ LIST_INIT(&p->conf.bind);
/* Timeouts are defined as -1 */
proxy_reset_timeouts(p);
* warning when no match is found, which implies the default (first) cert
* will keep being used.
*/
-static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct ssl_conf *s)
+static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
{
const char *servername;
const char *wildp = NULL;
/* Loads a certificate key and CA chain from a file. Returns 0 on error, -1 if
* an early error happens and the caller must call SSL_CTX_free() by itelf.
*/
-int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct ssl_conf *s)
+int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct bind_conf *s)
{
BIO *in;
X509 *x = NULL, *ca;
return ret;
}
-int ssl_sock_load_cert_file(const char *path, struct ssl_conf *ssl_conf, struct proxy *curproxy)
+int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy)
{
int ret;
SSL_CTX *ctx;
ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
Alert("Proxy '%s': unable to allocate SSL context for bind '%s' at [%s:%d] using cert '%s'.\n",
- curproxy->id, ssl_conf->arg, ssl_conf->file, ssl_conf->line, path);
+ curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line, path);
return 1;
}
if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
Alert("Proxy '%s': unable to load SSL private key from file '%s' in bind '%s' at [%s:%d].\n",
- curproxy->id, path, ssl_conf->arg, ssl_conf->file, ssl_conf->line);
+ curproxy->id, path, bind_conf->arg, bind_conf->file, bind_conf->line);
SSL_CTX_free(ctx);
return 1;
}
- ret = ssl_sock_load_cert_chain_file(ctx, path, ssl_conf);
+ ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf);
if (ret <= 0) {
Alert("Proxy '%s': unable to load SSL certificate from file '%s' in bind '%s' at [%s:%d].\n",
- curproxy->id, path, ssl_conf->arg, ssl_conf->file, ssl_conf->line);
+ curproxy->id, path, bind_conf->arg, bind_conf->file, bind_conf->line);
if (ret < 0) /* serious error, must do that ourselves */
SSL_CTX_free(ctx);
return 1;
* the tree, so it will be discovered and cleaned in time.
*/
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
- if (ssl_conf->default_ctx) {
+ if (bind_conf->default_ctx) {
Alert("Proxy '%s': file '%s' : this version of openssl cannot load multiple SSL certificates in bind '%s' at [%s:%d].\n",
- curproxy->id, path, ssl_conf->arg, ssl_conf->file, ssl_conf->line);
+ curproxy->id, path, bind_conf->arg, bind_conf->file, bind_conf->line);
return 1;
}
#endif
- if (!ssl_conf->default_ctx)
- ssl_conf->default_ctx = ctx;
+ if (!bind_conf->default_ctx)
+ bind_conf->default_ctx = ctx;
return 0;
}
-int ssl_sock_load_cert(char *path, struct ssl_conf *ssl_conf, struct proxy *curproxy)
+int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *curproxy)
{
struct dirent *de;
DIR *dir;
int cfgerr = 0;
if (!(dir = opendir(path)))
- return ssl_sock_load_cert_file(path, ssl_conf, curproxy);
+ return ssl_sock_load_cert_file(path, bind_conf, curproxy);
/* strip trailing slashes, including first one */
for (end = path + strlen(path) - 1; end >= path && *end == '/'; end--)
snprintf(fp, pathlen + 1 + NAME_MAX + 1, "%s/%s", path, de->d_name);
if (stat(fp, &buf) != 0) {
Alert("Proxy '%s': unable to stat SSL certificate from file '%s' in bind '%s' at [%s:%d] : %s.\n",
- curproxy->id, fp, ssl_conf->arg, ssl_conf->file, ssl_conf->line, strerror(errno));
+ curproxy->id, fp, bind_conf->arg, bind_conf->file, bind_conf->line, strerror(errno));
cfgerr++;
continue;
}
if (!S_ISREG(buf.st_mode))
continue;
- cfgerr += ssl_sock_load_cert_file(fp, ssl_conf, curproxy);
+ cfgerr += ssl_sock_load_cert_file(fp, bind_conf, curproxy);
}
free(fp);
closedir(dir);
#ifndef SSL_MODE_RELEASE_BUFFERS /* needs OpenSSL >= 1.0.0 */
#define SSL_MODE_RELEASE_BUFFERS 0
#endif
-int ssl_sock_prepare_ctx(struct ssl_conf *ssl_conf, SSL_CTX *ctx, struct proxy *curproxy)
+int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *curproxy)
{
int cfgerr = 0;
int ssloptions =
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS;
- if (ssl_conf->nosslv3)
+ if (bind_conf->nosslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (ssl_conf->notlsv1)
+ if (bind_conf->notlsv1)
ssloptions |= SSL_OP_NO_TLSv1;
- if (ssl_conf->prefer_server_ciphers)
+ if (bind_conf->prefer_server_ciphers)
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(ctx, ssloptions);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
shared_context_set_cache(ctx);
- if (ssl_conf->ciphers &&
- !SSL_CTX_set_cipher_list(ctx, ssl_conf->ciphers)) {
+ if (bind_conf->ciphers &&
+ !SSL_CTX_set_cipher_list(ctx, bind_conf->ciphers)) {
Alert("Proxy '%s': unable to set SSL cipher list to '%s' for bind '%s' at [%s:%d].\n",
- curproxy->id, ssl_conf->ciphers, ssl_conf->arg, ssl_conf->file, ssl_conf->line);
+ curproxy->id, bind_conf->ciphers, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
- SSL_CTX_set_tlsext_servername_arg(ctx, ssl_conf);
+ SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf);
#endif
return cfgerr;
}
-/* Walks down the two trees in ssl_conf and prepares all certs. The pointer may
+/* Walks down the two trees in bind_conf and prepares all certs. The pointer may
* be NULL, in which case nothing is done. Returns the number of errors
* encountered.
*/
-int ssl_sock_prepare_all_ctx(struct ssl_conf *ssl_conf, struct proxy *px)
+int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
{
struct ebmb_node *node;
struct sni_ctx *sni;
int err = 0;
- if (!ssl_conf)
+ if (!bind_conf || !bind_conf->is_ssl)
return 0;
- node = ebmb_first(&ssl_conf->sni_ctx);
+ node = ebmb_first(&bind_conf->sni_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
if (!sni->order) /* only initialize the CTX on its first occurrence */
- err += ssl_sock_prepare_ctx(ssl_conf, sni->ctx, px);
+ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node);
}
- node = ebmb_first(&ssl_conf->sni_w_ctx);
+ node = ebmb_first(&bind_conf->sni_w_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
if (!sni->order) /* only initialize the CTX on its first occurrence */
- err += ssl_sock_prepare_ctx(ssl_conf, sni->ctx, px);
+ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node);
}
return err;
}
-/* Walks down the two trees in ssl_conf and frees all the certs. The pointer may
+/* Walks down the two trees in bind_conf and frees all the certs. The pointer may
* be NULL, in which case nothing is done. The default_ctx is nullified too.
*/
-void ssl_sock_free_all_ctx(struct ssl_conf *ssl_conf)
+void ssl_sock_free_all_ctx(struct bind_conf *bind_conf)
{
struct ebmb_node *node, *back;
struct sni_ctx *sni;
- if (!ssl_conf)
+ if (!bind_conf || !bind_conf->is_ssl)
return;
- node = ebmb_first(&ssl_conf->sni_ctx);
+ node = ebmb_first(&bind_conf->sni_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
back = ebmb_next(node);
node = back;
}
- node = ebmb_first(&ssl_conf->sni_w_ctx);
+ node = ebmb_first(&bind_conf->sni_w_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
back = ebmb_next(node);
node = back;
}
- ssl_conf->default_ctx = NULL;
+ bind_conf->default_ctx = NULL;
}
/*
}
else if (target_client(&conn->target)) {
/* Alloc a new SSL session ctx */
- conn->data_ctx = SSL_new(target_client(&conn->target)->ssl_conf->default_ctx);
+ conn->data_ctx = SSL_new(target_client(&conn->target)->bind_conf->default_ctx);
if (!conn->data_ctx)
return -1;
projects / thirdparty / haproxy.git / commitdiff
