mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

CLEANUP: ssl/cli: use the list of filters in the crtlist_entry

Browse Source 
In 'commit ssl cert', instead of trying to regenerate a list of filters
from the SNIs, use the list provided by the crtlist_entry used to
generate the ckch_inst.

This list of filters doesn't need to be free'd anymore since they are
always reused from the crtlist_entry.
This commit is contained in:
William Lallemand 2020-04-08 16:29:15 +02:00 committed by William Lallemand
parent 02e19a5c7b
commit caa161982f
2 changed files with 6 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/types/ssl_sock.h
View File

@ -139,7 +139,7 @@ struct ckch_inst {
struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */ struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */ struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */ struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
unsigned int filters:1; /* using sni filters ? */ struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */
unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */ unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */
/* space for more flag there */ /* space for more flag there */
struct list sni_ctx; /* list of sni_ctx using this ckch_inst */ struct list sni_ctx; /* list of sni_ctx using this ckch_inst */

92
src/ssl_sock.c
View File

@ -3904,84 +3904,6 @@ end:
return NULL; return NULL;
} }
/*
* Free a sni filters array generated by ckch_inst_sni_ctx_to_sni_filters()
*/
static inline void free_sni_filters(char **sni_filter, int fcount)
{
int i;
if (sni_filter) {
for (i = 0; i < fcount; i++) {
if (sni_filter[i]) {
free(sni_filter[i]);
sni_filter[i] = NULL;
}
}
free(sni_filter);
}
}
/*
* Fill <*sni_filter> with an allocated array of ptr to the existing filters,
* The caller should free <*sni_filter>.
* Fill <*fcount> with the number of filters
* Return an ERR_* code.
*/
static int ckch_inst_sni_ctx_to_sni_filters(const struct ckch_inst *ckchi, char ***sni_filter, int *fcount, char **err)
{
struct sni_ctx *sc0;
int errcode = 0;
int i = 0;
char **tmp_filter;
int tmp_fcount = 0;
list_for_each_entry(sc0, &ckchi->sni_ctx, by_ckch_inst) {
tmp_fcount++;
}
if (!tmp_fcount)
goto end;
tmp_filter = calloc(tmp_fcount, sizeof(*tmp_filter));
if (!tmp_filter) {
errcode |= ERR_FATAL|ERR_ALERT;
goto error;
}
list_for_each_entry(sc0, &ckchi->sni_ctx, by_ckch_inst) {
size_t len = strlen((char *)sc0->name.key);
/* we need to alloc and copy to insert a '!' or/and a '*' */
tmp_filter[i] = calloc(1, len + sc0->neg + sc0->wild + 1);
if (!tmp_filter[i]) {
errcode |= ERR_FATAL|ERR_ALERT;
goto error;
}
if (sc0->neg)
*tmp_filter[i] = '!';
if (sc0->wild)
*(tmp_filter[i] + sc0->neg) = '*';
memcpy(tmp_filter[i] + sc0->neg + sc0->wild, (char *)sc0->name.key, len + 1);
i++;
}
*sni_filter = tmp_filter;
end:
*fcount = tmp_fcount;
return errcode;
error:
memprintf(err, "%sUnable to generate filters!",
err && *err ? *err : "");
free_sni_filters(tmp_filter, tmp_fcount);
return errcode;
}
#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL #if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
/* /*
@ -4197,7 +4119,6 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c
ckch_inst->bind_conf = bind_conf; ckch_inst->bind_conf = bind_conf;
ckch_inst->ssl_conf = ssl_conf; ckch_inst->ssl_conf = ssl_conf;
ckch_inst->ckch_store = ckchs; ckch_inst->ckch_store = ckchs;
ckch_inst->filters = !!fcount;
end: end:
@ -4396,7 +4317,6 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs,
ckch_inst->bind_conf = bind_conf; ckch_inst->bind_conf = bind_conf;
ckch_inst->ssl_conf = ssl_conf; ckch_inst->ssl_conf = ssl_conf;
ckch_inst->ckch_store = ckchs; ckch_inst->ckch_store = ckchs;
ckch_inst->filters = !!fcount;
SSL_CTX_free(ctx); /* we need to free the ctx since we incremented the refcount where it's used */ SSL_CTX_free(ctx); /* we need to free the ctx since we incremented the refcount where it's used */
@ -5041,6 +4961,7 @@ int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_con
goto error; goto error;
} }
LIST_ADDQ(&entry->ckch_inst, &ckch_inst->by_crtlist_entry); LIST_ADDQ(&entry->ckch_inst, &ckch_inst->by_crtlist_entry);
ckch_inst->crtlist_entry = entry;
} }
/* add the bind_conf to the list */ /* add the bind_conf to the list */
@ -12049,10 +11970,10 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
appctx->ctx.ssl.next_ckchi = ckchi; appctx->ctx.ssl.next_ckchi = ckchi;
goto yield; goto yield;
} }
if (ckchi->filters) {
errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err); if (ckchi->crtlist_entry) {
if (errcode & ERR_CODE) sni_filter = ckchi->crtlist_entry->filters;
goto error; fcount = ckchi->crtlist_entry->fcount;
} }
if (new_ckchs->multi) if (new_ckchs->multi)
@ -12060,9 +11981,6 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
else else
errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err); errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
free_sni_filters(sni_filter, fcount);
sni_filter = NULL;
if (errcode & ERR_CODE) if (errcode & ERR_CODE)
goto error; goto error;