MEDIUM: ssl: remote the proxy argument from most functions
Most of the SSL functions used to have a proxy argument which was mostly
used to be able to emit clean errors using Alert(). First, many of them
were converted to memprintf() and don't require this pointer anymore.
Second, the rare which still need it also have either a bind_conf argument
or a server argument, both of which carry a pointer to the relevant proxy.
So let's now get rid of it, it needlessly complicates the API and certain
functions already have many arguments.
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index cb9a1e9..119368a 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -43,12 +43,12 @@
}
int ssl_sock_handshake(struct connection *conn, unsigned int flag);
-int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *proxy);
-int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px);
-int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *px);
+int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx);
+int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf);
+int ssl_sock_prepare_srv_ctx(struct server *srv);
void ssl_sock_free_srv_ctx(struct server *srv);
void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
-int ssl_sock_load_ca(struct bind_conf *bind_conf, struct proxy *px);
+int ssl_sock_load_ca(struct bind_conf *bind_conf);
void ssl_sock_free_ca(struct bind_conf *bind_conf);
const char *ssl_sock_get_cipher_name(struct connection *conn);
const char *ssl_sock_get_proto_version(struct connection *conn);
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 7b5572f..c4c392f 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -8289,7 +8289,7 @@
#ifdef USE_OPENSSL
if (newsrv->use_ssl || newsrv->check.use_ssl)
- cfgerr += ssl_sock_prepare_srv_ctx(newsrv, curproxy);
+ cfgerr += ssl_sock_prepare_srv_ctx(newsrv);
#endif /* USE_OPENSSL */
/* set the check type on the server */
@@ -8750,10 +8750,10 @@
}
/* initialize all certificate contexts */
- cfgerr += ssl_sock_prepare_all_ctx(bind_conf, curproxy);
+ cfgerr += ssl_sock_prepare_all_ctx(bind_conf);
/* initialize CA variables if the certificates generation is enabled */
- cfgerr += ssl_sock_load_ca(bind_conf, curproxy);
+ cfgerr += ssl_sock_load_ca(bind_conf);
}
#endif /* USE_OPENSSL */
diff --git a/src/hlua.c b/src/hlua.c
index f423c6d..2d1d41d 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -7698,7 +7698,7 @@
}
/* Initialize SSL server. */
- ssl_sock_prepare_srv_ctx(&socket_ssl, &socket_proxy);
+ ssl_sock_prepare_srv_ctx(&socket_ssl);
#endif
RESET_SAFE_LJMP(gL.T);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 617c002..6cb8d63 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2030,7 +2030,7 @@
* 0 on success
* 1 on failure
*/
-static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
+static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, char **sni_filter, int fcount, char **err)
{
char fp[MAXPATHLEN+1] = {0};
int n = 0;
@@ -2238,7 +2238,7 @@
}
#else
/* This is a dummy, that just logs an error and returns error */
-static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
+static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, char **sni_filter, int fcount, char **err)
{
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
err && *err ? *err : "", path, strerror(errno));
@@ -2352,7 +2352,7 @@
return ret;
}
-static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
+static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, char **sni_filter, int fcount, char **err)
{
int ret;
SSL_CTX *ctx;
@@ -2440,7 +2440,7 @@
return 0;
}
-int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **err)
+int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
{
struct dirent **de_list;
int i, n;
@@ -2457,7 +2457,7 @@
if (stat(path, &buf) == 0) {
dir = opendir(path);
if (!dir)
- return ssl_sock_load_cert_file(path, bind_conf, curproxy, NULL, 0, err);
+ return ssl_sock_load_cert_file(path, bind_conf, NULL, 0, err);
/* strip trailing slashes, including first one */
for (end = path + strlen(path) - 1; end >= path && *end == '/'; end--)
@@ -2517,7 +2517,7 @@
}
snprintf(fp, sizeof(fp), "%s/%s", path, dp);
- ssl_sock_load_multi_cert(fp, bind_conf, curproxy, NULL, 0, err);
+ ssl_sock_load_multi_cert(fp, bind_conf, NULL, 0, err);
/* Successfully processed the bundle */
goto ignore_entry;
@@ -2525,7 +2525,7 @@
}
#endif
- cfgerr += ssl_sock_load_cert_file(fp, bind_conf, curproxy, NULL, 0, err);
+ cfgerr += ssl_sock_load_cert_file(fp, bind_conf, NULL, 0, err);
ignore_entry:
free(de);
}
@@ -2535,7 +2535,7 @@
return cfgerr;
}
- cfgerr = ssl_sock_load_multi_cert(path, bind_conf, curproxy, NULL, 0, err);
+ cfgerr = ssl_sock_load_multi_cert(path, bind_conf, NULL, 0, err);
return cfgerr;
}
@@ -2556,7 +2556,7 @@
return random_initialized;
}
-int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct proxy *curproxy, char **err)
+int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, char **err)
{
char thisline[LINESIZE*CRTLIST_FACTOR];
FILE *f;
@@ -2620,9 +2620,9 @@
continue;
if (stat(args[0], &buf) == 0) {
- cfgerr = ssl_sock_load_cert_file(args[0], bind_conf, curproxy, &args[1], arg-1, err);
+ cfgerr = ssl_sock_load_cert_file(args[0], bind_conf, &args[1], arg-1, err);
} else {
- cfgerr = ssl_sock_load_multi_cert(args[0], bind_conf, curproxy, &args[1], arg-1, err);
+ cfgerr = ssl_sock_load_multi_cert(args[0], bind_conf, &args[1], arg-1, err);
}
if (cfgerr) {
@@ -2670,8 +2670,9 @@
#define SSL_MODE_SMALL_BUFFERS 0
#endif
-int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *curproxy)
+int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx)
{
+ struct proxy *curproxy = bind_conf->frontend;
int cfgerr = 0;
int verify = SSL_VERIFY_NONE;
long ssloptions =
@@ -3022,8 +3023,9 @@
}
/* prepare ssl context from servers options. Returns an error count */
-int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
+int ssl_sock_prepare_srv_ctx(struct server *srv)
{
+ struct proxy *curproxy = srv->proxy;
int cfgerr = 0;
long options =
SSL_OP_ALL | /* all known workarounds for bugs */
@@ -3184,7 +3186,7 @@
* be NULL, in which case nothing is done. Returns the number of errors
* encountered.
*/
-int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
+int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf)
{
struct ebmb_node *node;
struct sni_ctx *sni;
@@ -3197,7 +3199,7 @@
global.ssl_used_frontend = 1;
if (bind_conf->default_ctx)
- err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
+ err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx);
node = ebmb_first(&bind_conf->sni_ctx);
while (node) {
@@ -3205,7 +3207,7 @@
if (!sni->order && sni->ctx != bind_conf->default_ctx)
/* only initialize the CTX on its first occurrence and
if it is not the default_ctx */
- err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
+ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx);
node = ebmb_next(node);
}
@@ -3215,7 +3217,7 @@
if (!sni->order && sni->ctx != bind_conf->default_ctx)
/* only initialize the CTX on its first occurrence and
if it is not the default_ctx */
- err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
+ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx);
node = ebmb_next(node);
}
return err;
@@ -3267,8 +3269,9 @@
/* Load CA cert file and private key used to generate certificates */
int
-ssl_sock_load_ca(struct bind_conf *bind_conf, struct proxy *px)
+ssl_sock_load_ca(struct bind_conf *bind_conf)
{
+ struct proxy *px = bind_conf->frontend;
FILE *fp;
X509 *cacert = NULL;
EVP_PKEY *capkey = NULL;
@@ -5196,13 +5199,13 @@
return ERR_ALERT | ERR_FATAL;
}
snprintf(path, sizeof(path), "%s/%s", global.crt_base, args[cur_arg + 1]);
- if (ssl_sock_load_cert(path, conf, px, err) > 0)
+ if (ssl_sock_load_cert(path, conf, err) > 0)
return ERR_ALERT | ERR_FATAL;
return 0;
}
- if (ssl_sock_load_cert(args[cur_arg + 1], conf, px, err) > 0)
+ if (ssl_sock_load_cert(args[cur_arg + 1], conf, err) > 0)
return ERR_ALERT | ERR_FATAL;
return 0;
@@ -5216,7 +5219,7 @@
return ERR_ALERT | ERR_FATAL;
}
- if (ssl_sock_load_cert_list_file(args[cur_arg + 1], conf, px, err) > 0) {
+ if (ssl_sock_load_cert_list_file(args[cur_arg + 1], conf, err) > 0) {
memprintf(err, "'%s' : %s", args[cur_arg], *err);
return ERR_ALERT | ERR_FATAL;
}