mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: ssl_sock: implement ssl_sock_prepare_bind_conf()

Browse Source 
Instead of hard-coding all SSL preparation in cfgparse.c, we now register
this new function as the transport layer's prepare_bind_conf() and call it
only when definied. This removes some non-obvious SSL-specific code from
cfgparse.c as well as a #ifdef.
This commit is contained in:
Willy Tarreau 2016-12-21 23:38:39 +01:00
parent 5aacf78a34
commit 55d3791b46
3 changed files with 45 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/proto/ssl_sock.h
View File

@ -45,6 +45,7 @@ int ssl_sock_is_ssl(struct connection *conn)
int ssl_sock_handshake(struct connection *conn, unsigned int flag); int ssl_sock_handshake(struct connection *conn, unsigned int flag);
int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx); int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx);
int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf); int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf);
int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf);
int ssl_sock_prepare_srv_ctx(struct server *srv); int ssl_sock_prepare_srv_ctx(struct server *srv);
void ssl_sock_free_srv_ctx(struct server *srv); void ssl_sock_free_srv_ctx(struct server *srv);
void ssl_sock_free_all_ctx(struct bind_conf *bind_conf); void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);

34
src/cfgparse.c
View File

@ -8717,46 +8717,16 @@ out_uri_auth_compat:
struct listener *listener; struct listener *listener;
unsigned int next_id; unsigned int next_id;
#ifdef USE_OPENSSL
/* Configure SSL for each bind line. /* Configure SSL for each bind line.
* Note: if configuration fails at some point, the ->ctx member * Note: if configuration fails at some point, the ->ctx member
* remains NULL so that listeners can later detach. * remains NULL so that listeners can later detach.
*/ */
list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) { list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
int alloc_ctx; if (bind_conf->xprt->prepare_bind_conf &&
bind_conf->xprt->prepare_bind_conf(bind_conf) < 0)
if (!bind_conf->is_ssl) {
if (bind_conf->default_ctx) {
Warning("Proxy '%s': A certificate was specified but SSL was not enabled on bind '%s' at [%s:%d] (use 'ssl').\n",
curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
}
continue;
}
if (!bind_conf->default_ctx) {
Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++; cfgerr++;
continue;
} }
alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global.tune.sslprivatecache && (global.nbproc > 1)) ? 1 : 0);
if (alloc_ctx < 0) {
if (alloc_ctx == SHCTX_E_INIT_LOCK)
Alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
else
Alert("Unable to allocate SSL session cache.\n");
cfgerr++;
continue;
}
/* initialize all certificate contexts */
cfgerr += ssl_sock_prepare_all_ctx(bind_conf);
/* initialize CA variables if the certificates generation is enabled */
cfgerr += ssl_sock_load_ca(bind_conf);
}
#endif /* USE_OPENSSL */
/* adjust this proxy's listeners */ /* adjust this proxy's listeners */
next_id = 1; next_id = 1;
list_for_each_entry(listener, &curproxy->conf.listeners, by_fe) { list_for_each_entry(listener, &curproxy->conf.listeners, by_fe) {

42
src/ssl_sock.c
View File

@ -3223,6 +3223,47 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf)
return err; return err;
} }
/* Prepares all the contexts for a bind_conf and allocates the shared SSL
* context if needed. Returns < 0 on error, 0 on success. The warnings and
* alerts are directly emitted since the rest of the stack does it below.
*/
int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
{
struct proxy *px = bind_conf->frontend;
int alloc_ctx;
int err;
if (!bind_conf->is_ssl) {
if (bind_conf->default_ctx) {
Warning("Proxy '%s': A certificate was specified but SSL was not enabled on bind '%s' at [%s:%d] (use 'ssl').\n",
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
}
return 0;
}
if (!bind_conf->default_ctx) {
Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
return -1;
}
alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global.tune.sslprivatecache && (global.nbproc > 1)) ? 1 : 0);
if (alloc_ctx < 0) {
if (alloc_ctx == SHCTX_E_INIT_LOCK)
Alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
else
Alert("Unable to allocate SSL session cache.\n");
return -1;
}
err = 0;
/* initialize all certificate contexts */
err += ssl_sock_prepare_all_ctx(bind_conf);
/* initialize CA variables if the certificates generation is enabled */
err += ssl_sock_load_ca(bind_conf);
return -err;
}
/* release ssl context allocated for servers. */ /* release ssl context allocated for servers. */
void ssl_sock_free_srv_ctx(struct server *srv) void ssl_sock_free_srv_ctx(struct server *srv)
@ -6590,6 +6631,7 @@ struct xprt_ops ssl_sock = {
.shutw = ssl_sock_shutw, .shutw = ssl_sock_shutw,
.close = ssl_sock_close, .close = ssl_sock_close,
.init = ssl_sock_init, .init = ssl_sock_init,
.prepare_bind_conf = ssl_sock_prepare_bind_conf,
.name = "SSL", .name = "SSL",
}; };