From: Amos Jeffries Date: Sun, 6 Dec 2015 13:59:59 +0000 (-0800) Subject: Cleanup: Expose SSL initialization function to libsecurity X-Git-Tag: SQUID_4_0_4~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a28c16ad4e23e382f74090134e19c72be7e02da;p=thirdparty%2Fsquid.git Cleanup: Expose SSL initialization function to libsecurity SSL initialize needs to be performed before any security context objects are generated. Expose the function so that the new blank context methods can use it. --- diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index 9c2975a2d8..0d3b51e2c9 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -198,6 +198,8 @@ Security::PeerOptions::createBlankContext() const Security::ContextPtr t = nullptr; #if USE_OPENSSL + Ssl::Initialize(); + #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) t = SSL_CTX_new(TLS_client_method()); #else diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index f943011742..dd376de70c 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -10,6 +10,9 @@ #include "base/Packable.h" #include "globals.h" #include "security/ServerOptions.h" +#if USE_OPENSSL +#include "ssl/support.h" +#endif #if HAVE_OPENSSL_ERR_H #include @@ -96,6 +99,8 @@ Security::ServerOptions::createBlankContext() const Security::ContextPtr t = nullptr; #if USE_OPENSSL + Ssl::Initialize(); + #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) t = SSL_CTX_new(TLS_server_method()); #else diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 223ce11a1f..e1cd25dc61 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -430,9 +430,8 @@ ssl_free_SBuf(void *, void *ptr, CRYPTO_EX_DATA *, delete buf; } -/// \ingroup ServerProtocolSSLInternal -static void -ssl_initialize(void) +void +Ssl::Initialize(void) { static bool initialized = false; if (initialized) @@ -443,10 +442,10 @@ ssl_initialize(void) SSLeay_add_ssl_algorithms(); #if HAVE_OPENSSL_ENGINE_H - if (Config.SSL.ssl_engine) { + if (::Config.SSL.ssl_engine) { ENGINE *e; - if (!(e = ENGINE_by_id(Config.SSL.ssl_engine))) - fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine); + if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine))) + fatalf("Unable to find SSL engine '%s'\n", ::Config.SSL.ssl_engine); if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { const int ssl_error = ERR_get_error(); @@ -454,11 +453,11 @@ ssl_initialize(void) } } #else - if (Config.SSL.ssl_engine) + if (::Config.SSL.ssl_engine) fatalf("Your OpenSSL has no SSL engine support\n"); #endif - const char *defName = Config.SSL.certSignHash ? Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE; + const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE; Ssl::DefaultSignHash = EVP_get_digestbyname(defName); if (!Ssl::DefaultSignHash) fatalf("Sign hash '%s' is not supported\n", defName); @@ -560,8 +559,6 @@ configureSslContext(Security::ContextPtr sslContext, AnyP::PortCfg &port) Security::ContextPtr sslCreateServerContext(AnyP::PortCfg &port) { - ssl_initialize(); - Security::ContextPtr sslContext(port.secure.createBlankContext()); if (!sslContext) return nullptr; @@ -636,7 +633,7 @@ ssl_next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsi Security::ContextPtr sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, long options, long fl) { - ssl_initialize(); + Ssl::Initialize(); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) Security::ContextPtr sslContext(SSL_CTX_new(TLS_client_method())); diff --git a/src/ssl/support.h b/src/ssl/support.h index 2920b5ada2..530a78ccf6 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -56,6 +56,10 @@ class PortCfg; namespace Ssl { +/// initialize the SSL library global state. +/// call before generating any SSL context +void Initialize(); + /// Squid defined error code (<0), an error code returned by SSL X509 api, or SSL_ERROR_NONE typedef int ssl_error_t;