From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 8 Apr 2020 14:29:15 +0000 (+0200)
Subject: CLEANUP: ssl/cli: use the list of filters in the crtlist_entry
X-Git-Tag: v2.2-dev6~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=caa161982f54435e7b8846d25c4d6e5ba6e639c4;p=thirdparty%2Fhaproxy.git

CLEANUP: ssl/cli: use the list of filters in the crtlist_entry

In 'commit ssl cert', instead of trying to regenerate a list of filters
from the SNIs, use the list provided by the crtlist_entry used to
generate the ckch_inst.

This list of filters doesn't need to be free'd anymore since they are
always reused from the crtlist_entry.
---

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index dd286bb261..28be81654b 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -139,7 +139,7 @@ struct ckch_inst {
 	struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
 	struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
 	struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
-	unsigned int filters:1; /* using sni filters ? */
+	struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */
 	unsigned int is_default:1;      /* This instance is used as the default ctx for this bind_conf */
 	/* space for more flag there */
 	struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bd3fb34e9d..58776eec36 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3904,84 +3904,6 @@ end:
 	return NULL;
 }
 
-
-/*
- * Free a sni filters array generated by ckch_inst_sni_ctx_to_sni_filters()
- */
-static inline void free_sni_filters(char **sni_filter, int fcount)
-{
-	int i;
-
-	if (sni_filter) {
-		for (i = 0; i < fcount; i++) {
-			if (sni_filter[i]) {
-				free(sni_filter[i]);
-				sni_filter[i] = NULL;
-			}
-		}
-		free(sni_filter);
-	}
-}
-
-/*
- * Fill <*sni_filter> with an allocated array of ptr to the existing filters,
- * The caller should free <*sni_filter>.
- * Fill <*fcount> with the number of filters
- * Return an ERR_* code.
- */
-static int ckch_inst_sni_ctx_to_sni_filters(const struct ckch_inst *ckchi, char ***sni_filter, int *fcount, char **err)
-{
-	struct sni_ctx *sc0;
-	int errcode = 0;
-	int i = 0;
-	char **tmp_filter;
-	int tmp_fcount = 0;
-
-	list_for_each_entry(sc0, &ckchi->sni_ctx, by_ckch_inst) {
-		tmp_fcount++;
-	}
-
-	if (!tmp_fcount)
-		goto end;
-
-	tmp_filter = calloc(tmp_fcount, sizeof(*tmp_filter));
-	if (!tmp_filter) {
-		errcode |= ERR_FATAL|ERR_ALERT;
-		goto error;
-	}
-
-	list_for_each_entry(sc0, &ckchi->sni_ctx, by_ckch_inst) {
-		size_t len = strlen((char *)sc0->name.key);
-
-		/* we need to alloc and copy to insert a '!' or/and a '*' */
-		tmp_filter[i] = calloc(1, len + sc0->neg + sc0->wild + 1);
-		if (!tmp_filter[i]) {
-			errcode |= ERR_FATAL|ERR_ALERT;
-			goto error;
-		}
-
-		if (sc0->neg)
-			*tmp_filter[i] = '!';
-		if (sc0->wild)
-			*(tmp_filter[i] + sc0->neg) = '*';
-
-		memcpy(tmp_filter[i] + sc0->neg + sc0->wild, (char *)sc0->name.key, len + 1);
-		i++;
-	}
-	*sni_filter = tmp_filter;
-end:
-	*fcount = tmp_fcount;
-
-	return errcode;
-error:
-	memprintf(err, "%sUnable to generate filters!",
-	          err && *err ? *err : "");
-	free_sni_filters(tmp_filter, tmp_fcount);
-
-	return errcode;
-}
-
-
 #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
 
 /*
@@ -4197,7 +4119,6 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c
 	ckch_inst->bind_conf = bind_conf;
 	ckch_inst->ssl_conf = ssl_conf;
 	ckch_inst->ckch_store = ckchs;
-	ckch_inst->filters = !!fcount;
 
 end:
 
@@ -4396,7 +4317,6 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs,
 	ckch_inst->bind_conf = bind_conf;
 	ckch_inst->ssl_conf = ssl_conf;
 	ckch_inst->ckch_store = ckchs;
-	ckch_inst->filters = !!fcount;
 
 	SSL_CTX_free(ctx); /* we need to free the ctx since we incremented the refcount where it's used */
 
@@ -5041,6 +4961,7 @@ int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_con
 			goto error;
 		}
 		LIST_ADDQ(&entry->ckch_inst, &ckch_inst->by_crtlist_entry);
+		ckch_inst->crtlist_entry = entry;
 	}
 
 	/* add the bind_conf to the list */
@@ -12049,10 +11970,10 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 						appctx->ctx.ssl.next_ckchi = ckchi;
 						goto yield;
 					}
-					if (ckchi->filters) {
-						errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
-						if (errcode & ERR_CODE)
-							goto error;
+
+					if (ckchi->crtlist_entry) {
+						sni_filter = ckchi->crtlist_entry->filters;
+						fcount = ckchi->crtlist_entry->fcount;
 					}
 
 					if (new_ckchs->multi)
@@ -12060,9 +11981,6 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 					else
 						errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
 
-					free_sni_filters(sni_filter, fcount);
-					sni_filter = NULL;
-
 					if (errcode & ERR_CODE)
 						goto error;