MINOR: Add 'conn' param to ssl_sock_chose_sni_ctx

This is only useful in the traces, the conn parameter won't be used otherwise.
2025-09-21 13:51:26 +02:00 · 2025-04-18 17:26:58 +02:00 · 2025-04-18 17:26:58 +02:00 · 047fb37b19
commit 047fb37b19
parent 6519cec2ed
4 changed files with 16 additions and 16 deletions
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@ -117,8 +117,8 @@ int ssl_sock_switchctx_wolfSSL_cbk(WOLFSSL* ssl, void* arg);

 int increment_sslconn();
 void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_conf);
-struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *servername,
-                                                             int have_rsa_sig, int have_ecdsa_sig);
+struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, struct connection *conn,
+                                       const char *servername, int have_rsa_sig, int have_ecdsa_sig);
 #ifdef SSL_MODE_ASYNC
 void ssl_async_fd_handler(int fd);
 void ssl_async_fd_free(int fd);
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@ -36,14 +36,14 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
 *
 * This function does a lookup in the bind_conf sni tree so the caller should lock its tree.
 */
-struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *servername,
-                                                             int have_rsa_sig, int have_ecdsa_sig)
+struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, struct connection *conn,
+                                       const char *servername, int have_rsa_sig, int have_ecdsa_sig)
 {
 	struct ebmb_node *node, *n, *node_ecdsa = NULL, *node_rsa = NULL, *node_anonymous = NULL;
 	const char *wildp = NULL;
 	int i;

-	TRACE_ENTER(SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername);
+	TRACE_ENTER(SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername);

 	/* look for the first dot for wildcard search */
 	for (i = 0; servername[i] != '\0'; i++) {
@ -108,27 +108,27 @@ struct sni_ctx *ssl_sock_chose_sni_ctx(struct bind_conf *s, const char *serverna
 	 * RSA > DSA */
 	if (have_ecdsa_sig && node_ecdsa) {
 		node = node_ecdsa;
-		TRACE_STATE("ECDSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+		TRACE_STATE("ECDSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
 	} else if (have_rsa_sig && node_rsa) {
 		node = node_rsa;
-		TRACE_STATE("RSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+		TRACE_STATE("RSA node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
 	} else if (node_anonymous) {
 		node = node_anonymous;
-		TRACE_STATE("Anonymous node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+		TRACE_STATE("Anonymous node picked", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
 	} else if (node_ecdsa) {
 		node = node_ecdsa;      /* no ecdsa signature case (< TLSv1.2) */
-		TRACE_STATE("ECDSA node picked (< TLSv1.2)", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+		TRACE_STATE("ECDSA node picked (< TLSv1.2)", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
 	} else {
 		node = node_rsa;        /* no rsa signature case (far far away) */
-		TRACE_STATE("RSA node picked (fallback)", SSL_EV_CONN_CHOOSE_SNI_CTX, NULL, servername, node);
+		TRACE_STATE("RSA node picked (fallback)", SSL_EV_CONN_CHOOSE_SNI_CTX, conn, servername, node);
 	}

 	if (node) {
-		TRACE_LEAVE(SSL_EV_CONN_CHOOSE_SNI_CTX);
+		TRACE_LEAVE(SSL_EV_CONN_CHOOSE_SNI_CTX, conn);
 		return container_of(node, struct sni_ctx, name);
 	}

-	TRACE_STATE("No SNI context found", SSL_EV_CONN_CHOOSE_SNI_CTX);
+	TRACE_STATE("No SNI context found", SSL_EV_CONN_CHOOSE_SNI_CTX, conn);
 	return NULL;
 }

@ -407,7 +407,7 @@ sni_lookup:
 	trash.area[i] = 0;

 	HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock);
-	sni_ctx = ssl_sock_chose_sni_ctx(s, trash.area, has_rsa_sig, has_ecdsa_sig);
+	sni_ctx = ssl_sock_chose_sni_ctx(s, conn, trash.area, has_rsa_sig, has_ecdsa_sig);
 	if (sni_ctx) {
 		/* switch ctx */
 		struct ssl_bind_conf *conf = sni_ctx->conf;
@ -701,7 +701,7 @@ sni_lookup:
 	servername = trash.area;

 	HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock);
-	sni_ctx = ssl_sock_chose_sni_ctx(s, servername, has_rsa_sig, has_ecdsa_sig);
+	sni_ctx = ssl_sock_chose_sni_ctx(s, conn, servername, has_rsa_sig, has_ecdsa_sig);
 	if (sni_ctx) {
 		/* switch ctx */
 		struct ssl_bind_conf *conf = sni_ctx->conf;
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@ -98,7 +98,7 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf
 	int 	      key_type;
 	struct sni_ctx *sni_ctx;

-	sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, "", 1, 1);
+	sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, NULL, "", 1, 1);
 	if (!sni_ctx)
 		goto mkcert_error;

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -4787,7 +4787,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
 		struct sni_ctx *sni_ctx;

 		/* if we use the generate-certificates option, look for the first default cert available */
-		sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, "", 1, 1);
+		sni_ctx = ssl_sock_chose_sni_ctx(bind_conf, NULL, "", 1, 1);
 		if (!sni_ctx) {
 			ha_alert("Proxy '%s': no SSL certificate specified for bind '%s' and 'generate-certificates' option at [%s:%d] (use 'crt').\n",
 				 px->id, bind_conf->arg, bind_conf->file, bind_conf->line);