REORG: ssl: move macros and structure definitions to ssl_sock.h

The ssl_sock.c file contains a lot of macros and structure definitions that should be in a .h. Move them to the more appropriate types/ssl_sock.h file.
2025-09-22 14:21:25 +02:00 · 2020-05-07 15:20:43 +02:00 · 2020-05-07 15:20:43 +02:00 · 7fd8b4567e
commit 7fd8b4567e
parent 2dec6a3bf1
2 changed files with 121 additions and 101 deletions
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@ -31,7 +31,85 @@
 #include <common/mini-clist.h>
 #include <common/openssl-compat.h>
-struct connection;
+/* ***** READ THIS before adding code here! *****
 *
 * Due to API incompatibilities between multiple OpenSSL versions and their
 * derivatives, it's often tempting to add macros to (re-)define certain
 * symbols. Please do not do this here, and do it in common/openssl-compat.h
 * exclusively so that the whole code consistently uses the same macros.
 *
 * Whenever possible if a macro is missing in certain versions, it's better
 * to conditionally define it in openssl-compat.h than using lots of ifdefs.
 */
 /* Warning, these are bits, not integers! */
 #define SSL_SOCK_ST_FL_VERIFY_DONE  0x00000001
 #define SSL_SOCK_ST_FL_16K_WBFSIZE  0x00000002
 #define SSL_SOCK_SEND_UNLIMITED     0x00000004
 #define SSL_SOCK_RECV_HEARTBEAT     0x00000008
 /* bits 0xFFFF0000 are reserved to store verify errors */
 /* Verify errors macros */
 #define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 63) ? 63 : e) << (16))
 #define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (6+16))
 #define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 63) ? 63 : e) << (4+6+16))
 #define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (16)) & 63)
 #define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (6+16)) & 15)
 #define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+6+16)) & 63)
 /* ssl_methods flags for ssl options */
 #define MC_SSL_O_ALL            0x0000
 #define MC_SSL_O_NO_SSLV3       0x0001	/* disable SSLv3 */
 #define MC_SSL_O_NO_TLSV10      0x0002	/* disable TLSv10 */
 #define MC_SSL_O_NO_TLSV11      0x0004	/* disable TLSv11 */
 #define MC_SSL_O_NO_TLSV12      0x0008	/* disable TLSv12 */
 #define MC_SSL_O_NO_TLSV13      0x0010	/* disable TLSv13 */
 /* file to guess during file loading */
 #define SSL_GF_NONE         0x00000000   /* Don't guess any file, only open the files specified in the configuration files */
 #define SSL_GF_BUNDLE       0x00000001   /* try to open the bundles */
 #define SSL_GF_SCTL         0x00000002   /* try to open the .sctl file */
 #define SSL_GF_OCSP         0x00000004   /* try to open the .ocsp file */
 #define SSL_GF_OCSP_ISSUER  0x00000008   /* try to open the .issuer file if an OCSP file was loaded */
 #define SSL_GF_KEY          0x00000010   /* try to open the .key file to load a private key */
 #define SSL_GF_ALL          (SSL_GF_BUNDLE|SSL_GF_SCTL|SSL_GF_OCSP|SSL_GF_OCSP_ISSUER|SSL_GF_KEY)
 /* ssl_methods versions */
 enum {
 	CONF_TLSV_NONE = 0,
 	CONF_TLSV_MIN  = 1,
 	CONF_SSLV3     = 1,
 	CONF_TLSV10    = 2,
 	CONF_TLSV11    = 3,
 	CONF_TLSV12    = 4,
 	CONF_TLSV13    = 5,
 	CONF_TLSV_MAX  = 5,
 };
 #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL)
 typedef enum { SET_CLIENT, SET_SERVER } set_context_func;
 #else /* openssl >= 1.1.0 */
 typedef enum { SET_MIN, SET_MAX } set_context_func;
 #endif
 struct methodVersions {
 	int      option;
 	uint16_t flag;
 	void   (*ctx_set_version)(SSL_CTX *, set_context_func);
 	void   (*ssl_set_version)(SSL *, set_context_func);
 	const char *name;
 };
 /* server and bind verify method, it uses a global value as default */
 enum {
 	SSL_SOCK_VERIFY_DEFAULT  = 0,
 	SSL_SOCK_VERIFY_REQUIRED = 1,
 	SSL_SOCK_VERIFY_OPTIONAL = 2,
 	SSL_SOCK_VERIFY_NONE     = 3,
 };
 struct pkey_info {
 	uint8_t sig;          /* TLSEXT_signature_[rsa,ecdsa,...] */
@ -204,6 +282,8 @@ struct issuer_chain {
 	char *path;
 };
 struct connection;
 typedef void (*ssl_sock_msg_callback_func)(struct connection *conn,
 	int write_p, int version, int content_type,
 	const void *buf, size_t len, SSL *ssl);
@ -217,5 +297,43 @@ struct ssl_sock_msg_callback {
 	struct list list;    /* list of registered callbacks */
 };
 /* This memory pool is used for capturing clienthello parameters. */
 struct ssl_capture {
 	unsigned long long int xxh64;
 	unsigned char ciphersuite_len;
 	char ciphersuite[0];
 };
 struct global_ssl {
 	char *crt_base;             /* base directory path for certificates */
 	char *ca_base;              /* base directory path for CAs and CRLs */
 	char *issuers_chain_path;   /* from "issuers-chain-path" */
 	int  skip_self_issued_ca;
 	int  async;                 /* whether we use ssl async mode */
 	char *listen_default_ciphers;
 	char *connect_default_ciphers;
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
 	char *listen_default_ciphersuites;
 	char *connect_default_ciphersuites;
 #endif
 #if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
 	char *listen_default_curves;
 #endif
 	int listen_default_ssloptions;
 	int connect_default_ssloptions;
 	struct tls_version_filter listen_default_sslmethods;
 	struct tls_version_filter connect_default_sslmethods;
 	int private_cache; /* Force to use a private session cache even if nbproc > 1 */
 	unsigned int life_time;   /* SSL session lifetime in seconds */
 	unsigned int max_record; /* SSL max record size */
 	unsigned int default_dh_param; /* SSL maximum DH parameter size */
 	int ctx_cache; /* max number of entries in the ssl_ctx cache. */
 	int capture_cipherlist; /* Size of the cipherlist buffer. */
 	int extra_files; /* which files not defined in the configuration file are we looking for */
 };
 #endif /* USE_OPENSSL */
 #endif /* _TYPES_SSL_SOCK_H */
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -100,61 +100,6 @@
 * to conditionally define it in openssl-compat.h than using lots of ifdefs.
 */
 /* Warning, these are bits, not integers! */
 #define SSL_SOCK_ST_FL_VERIFY_DONE  0x00000001
 #define SSL_SOCK_ST_FL_16K_WBFSIZE  0x00000002
 #define SSL_SOCK_SEND_UNLIMITED     0x00000004
 #define SSL_SOCK_RECV_HEARTBEAT     0x00000008
 /* bits 0xFFFF0000 are reserved to store verify errors */
 /* Verify errors macros */
 #define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 63) ? 63 : e) << (16))
 #define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (6+16))
 #define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 63) ? 63 : e) << (4+6+16))
 #define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (16)) & 63)
 #define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (6+16)) & 15)
 #define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+6+16)) & 63)
 /* ssl_methods flags for ssl options */
 #define MC_SSL_O_ALL            0x0000
 #define MC_SSL_O_NO_SSLV3       0x0001	/* disable SSLv3 */
 #define MC_SSL_O_NO_TLSV10      0x0002	/* disable TLSv10 */
 #define MC_SSL_O_NO_TLSV11      0x0004	/* disable TLSv11 */
 #define MC_SSL_O_NO_TLSV12      0x0008	/* disable TLSv12 */
 #define MC_SSL_O_NO_TLSV13      0x0010	/* disable TLSv13 */
 /* file to guess during file loading */
 #define SSL_GF_NONE         0x00000000   /* Don't guess any file, only open the files specified in the configuration files */
 #define SSL_GF_BUNDLE       0x00000001   /* try to open the bundles */
 #define SSL_GF_SCTL         0x00000002   /* try to open the .sctl file */
 #define SSL_GF_OCSP         0x00000004   /* try to open the .ocsp file */
 #define SSL_GF_OCSP_ISSUER  0x00000008   /* try to open the .issuer file if an OCSP file was loaded */
 #define SSL_GF_KEY          0x00000010   /* try to open the .key file to load a private key */
 #define SSL_GF_ALL          (SSL_GF_BUNDLE|SSL_GF_SCTL|SSL_GF_OCSP|SSL_GF_OCSP_ISSUER|SSL_GF_KEY)
 /* ssl_methods versions */
 enum {
 	CONF_TLSV_NONE = 0,
 	CONF_TLSV_MIN  = 1,
 	CONF_SSLV3     = 1,
 	CONF_TLSV10    = 2,
 	CONF_TLSV11    = 3,
 	CONF_TLSV12    = 4,
 	CONF_TLSV13    = 5,
 	CONF_TLSV_MAX  = 5,
 };
 /* server and bind verify method, it uses a global value as default */
 enum {
 	SSL_SOCK_VERIFY_DEFAULT  = 0,
 	SSL_SOCK_VERIFY_REQUIRED = 1,
 	SSL_SOCK_VERIFY_OPTIONAL = 2,
 	SSL_SOCK_VERIFY_NONE     = 3,
 };
 int sslconns = 0;
 int totalsslconns = 0;
 static struct xprt_ops ssl_sock;
@ -163,36 +108,7 @@ int nb_engines = 0;
 static struct eb_root cert_issuer_tree = EB_ROOT; /* issuers tree from "issuers-chain-path" */
 static struct issuer_chain* ssl_get0_issuer_chain(X509 *cert);
-static struct {
+struct global_ssl global_ssl = {
 	char *crt_base;             /* base directory path for certificates */
 	char *ca_base;              /* base directory path for CAs and CRLs */
 	char *issuers_chain_path;   /* from "issuers-chain-path" */
 	int  skip_self_issued_ca;
 	int  async;                 /* whether we use ssl async mode */
 	char *listen_default_ciphers;
 	char *connect_default_ciphers;
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
 	char *listen_default_ciphersuites;
 	char *connect_default_ciphersuites;
 #endif
 #if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
 	char *listen_default_curves;
 #endif
 	int listen_default_ssloptions;
 	int connect_default_ssloptions;
 	struct tls_version_filter listen_default_sslmethods;
 	struct tls_version_filter connect_default_sslmethods;
 	int private_cache; /* Force to use a private session cache even if nbproc > 1 */
 	unsigned int life_time;   /* SSL session lifetime in seconds */
 	unsigned int max_record; /* SSL max record size */
 	unsigned int default_dh_param; /* SSL maximum DH parameter size */
 	int ctx_cache; /* max number of entries in the ssl_ctx cache. */
 	int capture_cipherlist; /* Size of the cipherlist buffer. */
 	int extra_files; /* which files not defined in the configuration file are we looking for */
 } global_ssl = {
 #ifdef LISTEN_DEFAULT_CIPHERS
 	.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
 #endif
@ -545,12 +461,6 @@ static STACK_OF(X509_NAME)* ssl_get_client_ca_file(char *path)
 	return ca_e->ca_list;
 }
 /* This memory pool is used for capturing clienthello parameters. */
 struct ssl_capture {
 	unsigned long long int xxh64;
 	unsigned char ciphersuite_len;
 	char ciphersuite[0];
 };
 struct pool_head *pool_head_ssl_capture = NULL;
 static int ssl_capture_ptr_index = -1;
 static int ssl_app_data_index = -1;
@ -2335,7 +2245,6 @@ ssl_sock_generate_certificate_from_conn(struct bind_conf *bind_conf, SSL *ssl)
 #endif /* !defined SSL_NO_GENERATE_CERTIFICATES */
 #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL)
 typedef enum { SET_CLIENT, SET_SERVER } set_context_func;
 static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c)
 {
@ -2369,7 +2278,6 @@ static void ssl_set_TLSv11_func(SSL *ssl, set_context_func c) {}
 static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {}
 static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {}
 #else /* openssl >= 1.1.0 */
 typedef enum { SET_MIN, SET_MAX } set_context_func;
 static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) {
 	c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)
@ -2419,13 +2327,7 @@ static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {
 static void ctx_set_None_func(SSL_CTX *ctx, set_context_func c) { }
 static void ssl_set_None_func(SSL *ssl, set_context_func c) { }
-static struct {
+struct methodVersions methodVersions[] = {
 	int      option;
 	uint16_t flag;
 	void   (*ctx_set_version)(SSL_CTX *, set_context_func);
 	void   (*ssl_set_version)(SSL *, set_context_func);
 	const char *name;
 } methodVersions[] = {
 	{0, 0, ctx_set_None_func, ssl_set_None_func, "NONE"},   /* CONF_TLSV_NONE */
 	{SSL_OP_NO_SSLv3,   MC_SSL_O_NO_SSLV3,  ctx_set_SSLv3_func, ssl_set_SSLv3_func, "SSLv3"},    /* CONF_SSLV3 */
 	{SSL_OP_NO_TLSv1,   MC_SSL_O_NO_TLSV10, ctx_set_TLSv10_func, ssl_set_TLSv10_func, "TLSv1.0"}, /* CONF_TLSV10 */