Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 795bd9ba3a95e3a1f491b5304b1641855215f1e9^! / .
commit795bd9ba3a95e3a1f491b5304b1641855215f1e9[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Tue Jan 26 11:27:42 2021 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Tue Jan 26 15:19:36 2021 +0100
tree8284de022ead075c222ec89f89c6d67769f5c293
parent1dedb0a82abb5c0ed1af051fcc2dc25ff292134d [diff]
CLEANUP: ssl: remove SSL_CTX function parameter

Since the server SSL_CTX is now stored in the ckch_inst, it is not
needed anymore to pass an SSL_CTX to ckch_inst_new_load_srv_store() and
ssl_sock_load_srv_ckchs().

diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 0bcd0d7..7d1b8ef 100644
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h

@@ -50,7 +50,7 @@
 int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct bind_conf *bind_conf,
                              struct ssl_bind_conf *ssl_conf, char **sni_filter, int fcount, struct ckch_inst **ckchi, char **err);
 int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
-                                 struct ckch_inst **ckchi, SSL_CTX **ssl_ctx, char **err);
+                                 struct ckch_inst **ckchi, char **err);
 
 void ckch_deinit();
 

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 3e54f66..96eec9a 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c

@@ -1317,7 +1317,6 @@
 					struct ckch_inst *new_inst;
 					char **sni_filter = NULL;
 					int fcount = 0;
-					SSL_CTX *ctx = NULL;
 
 					/* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
 					if (y >= 10) {
@@ -1332,7 +1331,7 @@
 					}
 
 					if (ckchi->is_server_instance)
-						errcode |= ckch_inst_new_load_srv_store(new_ckchs->path, new_ckchs, &new_inst, &ctx, &err);
+						errcode |= ckch_inst_new_load_srv_store(new_ckchs->path, new_ckchs, &new_inst, &err);
 					else
 						errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
 
@@ -1347,11 +1346,9 @@
 					new_inst->server = ckchi->server;
 					/* Create a new SSL_CTX and link it to the new instance. */
 					if (new_inst->is_server_instance) {
-						errcode |= ssl_sock_prepare_srv_ssl_ctx(ckchi->server, ctx);
+						errcode |= ssl_sock_prepare_srv_ssl_ctx(ckchi->server, new_inst->ctx);
 						if (errcode & ERR_CODE)
 							goto error;
-
-						new_inst->ctx = ctx;
 					}
 
 					/* create the link to the crtlist_entry */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c099bc6..0776742 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3454,7 +3454,7 @@
  *     ERR_WARN if a warning is available into err
  */
 int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
-				 struct ckch_inst **ckchi, SSL_CTX **ssl_ctx, char **err)
+				 struct ckch_inst **ckchi, char **err)
 {
 	SSL_CTX *ctx;
 	struct cert_key_and_chain *ckch;
@@ -3476,10 +3476,6 @@
 		goto error;
 	}
 
-	if (*ssl_ctx)
-		SSL_CTX_free(*ssl_ctx);
-	*ssl_ctx = ctx;
-
 	errcode |= ssl_sock_put_srv_ckch_into_ctx(path, ckch, ctx, err);
 	if (errcode & ERR_CODE)
 		goto error;
@@ -3492,14 +3488,11 @@
 		goto error;
 	}
 
-	SSL_CTX_up_ref(ctx);
-
 	/* everything succeed, the ckch instance can be used */
 	ckch_inst->bind_conf = NULL;
 	ckch_inst->ssl_conf = NULL;
 	ckch_inst->ckch_store = ckchs;
-
-	SSL_CTX_free(ctx); /* we need to free the ctx since we incremented the refcount where it's used */
+	ckch_inst->ctx = ctx;
 
 	*ckchi = ckch_inst;
 	return errcode;
@@ -3536,13 +3529,12 @@
 }
 
 static int ssl_sock_load_srv_ckchs(const char *path, struct ckch_store *ckchs,
-				   struct ckch_inst **ckch_inst,
-				   SSL_CTX **ssl_ctx, char **err)
+				   struct ckch_inst **ckch_inst, char **err)
 {
 	int errcode = 0;
 
 	/* we found the ckchs in the tree, we can use it directly */
-	errcode |= ckch_inst_new_load_srv_store(path, ckchs, ckch_inst, ssl_ctx, err);
+	errcode |= ckch_inst_new_load_srv_store(path, ckchs, ckch_inst, err);
 
 	if (errcode & ERR_CODE)
 		return errcode;
@@ -3751,7 +3743,7 @@
 
 	if ((ckchs = ckchs_lookup(path))) {
 		/* we found the ckchs in the tree, we can use it directly */
-		 cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, &server->ssl_ctx.inst, &server->ssl_ctx.ctx, err);
+		 cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, &server->ssl_ctx.inst, err);
 		 found++;
 	} else if (stat(path, &buf) == 0) {
 		/* We do not manage directories on backend side. */
@@ -3760,7 +3752,7 @@
 			ckchs =  ckchs_load_cert_file(path, err);
 			if (!ckchs)
 				cfgerr |= ERR_ALERT | ERR_FATAL;
-			cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, &server->ssl_ctx.inst, &server->ssl_ctx.ctx, err);
+			cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, &server->ssl_ctx.inst, err);
 			if (server->ssl_ctx.inst) {
 				server->ssl_ctx.inst->is_server_instance = 1;
 				server->ssl_ctx.inst->server = server;