This patch is generated from the ssl-20010504 branch of HEAD-20010504 in squid Tue Sep 9 11:57:45 2003 GMT See http://devel.squid-cache.org/ Index: squid/src/cache_cf.c diff -u squid/src/cache_cf.c:1.22 squid/src/cache_cf.c:1.21.20.4 --- squid/src/cache_cf.c:1.22 Fri Apr 20 13:13:52 2001 +++ squid/src/cache_cf.c Fri Apr 20 13:19:49 2001 @@ -85,6 +85,14 @@ static void dump_sockaddr_in_list(StoreEntry *, const char *, const sockaddr_in_list *); static void free_sockaddr_in_list(sockaddr_in_list **); static int check_null_sockaddr_in_list(const sockaddr_in_list *); +#if USE_SSL +static void parse_https_port_list(https_port_list **); +static void dump_https_port_list(StoreEntry *, const char *, const https_port_list *); +static void free_https_port_list(https_port_list **); +#if 0 +static int check_null_https_port_list(const https_port_list *); +#endif +#endif /* USE_SSL */ void self_destruct(void) @@ -2051,6 +2059,96 @@ { return NULL == s; } + +#if USE_SSL +static void +parse_https_port_list(https_port_list ** head) +{ + char *token; + char *t; + char *host; + const struct hostent *hp; + unsigned short port; + https_port_list *s; + token = strtok(NULL, w_space); + if (!token) + self_destruct(); + host = NULL; + port = 0; + if ((t = strchr(token, ':'))) { + /* host:port */ + host = token; + *t = '\0'; + port = (unsigned short) atoi(t + 1); + if (0 == port) + self_destruct(); + } else if ((port = atoi(token)) > 0) { + /* port */ + } else { + self_destruct(); + } + s = xcalloc(1, sizeof(*s)); + s->s.sin_port = htons(port); + if (NULL == host) + s->s.sin_addr = any_addr; + else if (1 == safe_inet_addr(host, &s->s.sin_addr)) + (void) 0; + else if ((hp = gethostbyname(host))) /* dont use ipcache */ + s->s.sin_addr = inaddrFromHostent(hp); + else + self_destruct(); + /* parse options ... */ + while ((token = strtok(NULL, w_space))) { + if (strncmp(token, "cert=", 5) == 0) { + safe_free(s->cert); + s->cert = xstrdup(token+5); + } else if (strncmp(token, "key=", 4) == 0) { + safe_free(s->key); + s->key = xstrdup(token+4); + } else { + self_destruct(); + } + } + while (*head) + head = &(*head)->next; + *head = s; +} + +static void +dump_https_port_list(StoreEntry * e, const char *n, const https_port_list * s) +{ + while (s) { + storeAppendPrintf(e, "%s %s:%d cert=\"%s\" key=\"%s\"\n", + n, + inet_ntoa(s->s.sin_addr), + ntohs(s->s.sin_port), + s->cert, + s->key); + s = s->next; + } +} + +static void +free_https_port_list(https_port_list ** head) +{ + https_port_list *s; + while ((s = *head) != NULL) { + *head = s->next; + safe_free(s->cert); + safe_free(s->key); + safe_free(s); + } +} + +#if 0 +static int +check_null_https_port_list(const https_port_list * s) +{ + return NULL == s; +} +#endif + +#endif /* USE_SSL */ void configFreeMemory(void) Index: squid/src/cf.data.pre diff -u squid/src/cf.data.pre:1.26 squid/src/cf.data.pre:1.26.2.3 --- squid/src/cf.data.pre:1.26 Fri Apr 13 17:31:01 2001 +++ squid/src/cf.data.pre Sat Apr 21 11:38:02 2001 @@ -86,40 +86,24 @@ NAME: https_port IFDEF: USE_SSL -TYPE: sockaddr_in_list +TYPE: https_port_list DEFAULT: none LOC: Config.Sockaddr.https DOC_START - Usage: port - hostname:port - 1.2.3.4:port - - The socket addresses where Squid will listen for HTTPS client - requests. You may specify multiple socket addresses. + Usage: [ip:]port cert=certificate.pem [key=key.pem] + The socket address where Squid will listen for HTTPS client + requests. + This is really only useful for situations where you are running squid in accelerator mode and you want to do the SSL work at the accelerator level. -DOC_END -NAME: ssl_certificate -IFDEF: USE_SSL -TYPE: string -DEFAULT: none -LOC: Config.SSL.certificate -COMMENT: /path/to/certificate -DOC_START - Certificate for use with SSL acceleration. -DOC_END + If key is not specified then the given certificate is assumed to be a + combined certificate and key file. -NAME: ssl_key -IFDEF: USE_SSL -TYPE: string -DEFAULT: none -LOC: Config.SSL.key -COMMENT: /path/to/key -DOC_START - Key for SSL certificate defined in ssl_certificate. + You may specify multiple socket addresses on multiple lines, + each with their own SSL certificate. DOC_END NAME: ssl_version Index: squid/src/client_side.c diff -u squid/src/client_side.c:1.27 squid/src/client_side.c:1.27.2.3 --- squid/src/client_side.c:1.27 Tue Apr 17 17:41:22 2001 +++ squid/src/client_side.c Thu Apr 19 11:58:36 2001 @@ -3155,7 +3155,7 @@ void httpAccept(int sock, void *data) { - int *N = data; + int *N = &incoming_sockets_accepted; int fd = -1; ConnStateData *connState = NULL; struct sockaddr_in peer; @@ -3243,11 +3243,19 @@ commSetSelect(fd, COMM_SELECT_READ, clientReadRequest, conn, 0); } +struct _https_port_data { + SSL_CTX *sslContext; +}; +typedef struct _https_port_data https_port_data; +CBDATA_TYPE(https_port_data); + /* handle a new HTTPS connection */ static void httpsAccept(int sock, void *data) { - int *N = data; + int *N = &incoming_sockets_accepted; + https_port_data *https_port = data; + SSL_CTX *sslContext = https_port->sslContext; int fd = -1; ConnStateData *connState = NULL; struct sockaddr_in peer; @@ -3258,7 +3266,7 @@ #if USE_IDENT static aclCheck_t identChecklist; #endif - commSetSelect(sock, COMM_SELECT_READ, httpsAccept, NULL, 0); + commSetSelect(sock, COMM_SELECT_READ, httpsAccept, https_port, 0); while (max-- && !httpAcceptDefer(sock, NULL)) { memset(&peer, '\0', sizeof(struct sockaddr_in)); memset(&me, '\0', sizeof(struct sockaddr_in)); @@ -3433,7 +3441,7 @@ request_failure_ratio = 0.8; /* reset to something less than 1.0 */ } -void +static void clientHttpConnectionsOpen(void) { sockaddr_in_list *s; @@ -3467,7 +3475,15 @@ fd); HttpSockets[NHttpSockets++] = fd; } -#ifdef USE_SSL +} + +#if USE_SSL +static void +clientHttpsConnectionsOpen(void) +{ + https_port_list *s; + https_port_data *https_port; + int fd; for (s = Config.Sockaddr.https; s; s = s->next) { enter_suid(); fd = comm_open(SOCK_STREAM, @@ -3479,20 +3495,31 @@ leave_suid(); if (fd < 0) continue; + CBDATA_INIT_TYPE(https_port_data); + https_port = cbdataAlloc(https_port_data); + https_port->sslContext = sslLoadCert(s->cert, s->key); comm_listen(fd); - commSetSelect(fd, COMM_SELECT_READ, httpsAccept, NULL, 0); - /*commSetDefer(fd, httpAcceptDefer, NULL); */ + commSetSelect(fd, COMM_SELECT_READ, httpsAccept, https_port, 0); + commSetDefer(fd, httpAcceptDefer, NULL); debug(1, 1) ("Accepting HTTPS connections at %s, port %d, FD %d.\n", inet_ntoa(s->s.sin_addr), (int) ntohs(s->s.sin_port), fd); HttpSockets[NHttpSockets++] = fd; } +} +#endif + +void +clientOpenListenSockets(void) +{ + clientHttpConnectionsOpen(); +#if USE_SSL + clientHttpsConnectionsOpen(); #endif if (NHttpSockets < 1) fatal("Cannot open HTTP Port"); } - void clientHttpConnectionsClose(void) { Index: squid/src/comm_select.c diff -u squid/src/comm_select.c:1.5 squid/src/comm_select.c:1.5.2.1 --- squid/src/comm_select.c:1.5 Fri Feb 23 13:03:30 2001 +++ squid/src/comm_select.c Wed Apr 18 09:57:02 2001 @@ -201,10 +201,10 @@ { int i; int fd; - int incame = 0; PF *hdl = NULL; int npfds; struct pollfd pfds[3 + MAXHTTPPORTS]; + incoming_sockets_accepted = 0; for (i = npfds = 0; i < nfds; i++) { int events; fd = fds[i]; @@ -227,7 +227,7 @@ #endif statCounter.syscalls.polls++; if (poll(pfds, npfds, 0) < 1) - return incame; + return incoming_sockets_accepted; for (i = 0; i < npfds; i++) { int revents; if (((revents = pfds[i].revents) == 0) || ((fd = pfds[i].fd) == -1)) @@ -235,7 +235,7 @@ if (revents & (POLLRDNORM | POLLIN | POLLHUP | POLLERR)) { if ((hdl = fd_table[fd].read_handler)) { fd_table[fd].read_handler = NULL; - hdl(fd, &incame); + hdl(fd, fd_table[fd].read_data); } else if (pfds[i].events & POLLRDNORM) debug(5, 1) ("comm_poll_incoming: FD %d NULL read handler\n", fd); @@ -243,13 +243,13 @@ if (revents & (POLLWRNORM | POLLOUT | POLLHUP | POLLERR)) { if ((hdl = fd_table[fd].write_handler)) { fd_table[fd].write_handler = NULL; - hdl(fd, &incame); + hdl(fd, fd_table[fd].write_data); } else if (pfds[i].events & POLLWRNORM) debug(5, 1) ("comm_poll_incoming: FD %d NULL write_handler\n", fd); } } - return incame; + return incoming_sockets_accepted; } static void @@ -521,13 +521,13 @@ { int i; int fd; - int incame = 0; int maxfd = 0; PF *hdl = NULL; fd_set read_mask; fd_set write_mask; FD_ZERO(&read_mask); FD_ZERO(&write_mask); + incoming_sockets_accepted = 0; for (i = 0; i < nfds; i++) { fd = fds[i]; if (fd_table[fd].read_handler) { @@ -548,14 +548,14 @@ #endif statCounter.syscalls.selects++; if (select(maxfd, &read_mask, &write_mask, NULL, &zero_tv) < 1) - return incame; + return incoming_sockets_accepted; for (i = 0; i < nfds; i++) { fd = fds[i]; if (FD_ISSET(fd, &read_mask)) { if ((hdl = fd_table[fd].read_handler) != NULL) { fd_table[fd].read_handler = NULL; commUpdateReadBits(fd, NULL); - hdl(fd, &incame); + hdl(fd, fd_table[fd].read_data); } else { debug(5, 1) ("comm_select_incoming: FD %d NULL read handler\n", fd); @@ -565,14 +565,14 @@ if ((hdl = fd_table[fd].write_handler) != NULL) { fd_table[fd].write_handler = NULL; commUpdateWriteBits(fd, NULL); - hdl(fd, &incame); + hdl(fd, fd_table[fd].write_data); } else { debug(5, 1) ("comm_select_incoming: FD %d NULL write handler\n", fd); } } } - return incame; + return incoming_sockets_accepted; } static void Index: squid/src/dns_internal.c diff -u squid/src/dns_internal.c:1.8 squid/src/dns_internal.c:1.8.4.1 --- squid/src/dns_internal.c:1.8 Wed Feb 14 22:12:46 2001 +++ squid/src/dns_internal.c Wed Apr 18 09:57:02 2001 @@ -338,7 +338,7 @@ static void idnsRead(int fd, void *data) { - int *N = data; + int *N = &incoming_sockets_accepted; ssize_t len; struct sockaddr_in from; socklen_t from_len; Index: squid/src/globals.h diff -u squid/src/globals.h:1.8 squid/src/globals.h:1.7.14.2 --- squid/src/globals.h:1.8 Fri Apr 20 13:13:52 2001 +++ squid/src/globals.h Fri Apr 20 13:19:49 2001 @@ -153,3 +153,4 @@ extern ssize_t store_maxobjsize; /* -1 */ extern RemovalPolicy *mem_policy; extern hash_table *proxy_auth_username_cache; /* NULL */ +extern int incoming_sockets_accepted; Index: squid/src/icp_v2.c diff -u squid/src/icp_v2.c:1.4 squid/src/icp_v2.c:1.4.14.1 --- squid/src/icp_v2.c:1.4 Fri Jan 12 00:20:33 2001 +++ squid/src/icp_v2.c Wed Apr 18 09:57:02 2001 @@ -337,7 +337,7 @@ void icpHandleUdp(int sock, void *data) { - int *N = data; + int *N = &incoming_sockets_accepted; struct sockaddr_in from; socklen_t from_len; LOCAL_ARRAY(char, buf, SQUID_UDP_SO_RCVBUF); Index: squid/src/main.c diff -u squid/src/main.c:1.21 squid/src/main.c:1.21.2.2 --- squid/src/main.c:1.21 Fri Apr 13 17:31:02 2001 +++ squid/src/main.c Wed Apr 18 10:10:10 2001 @@ -280,7 +280,7 @@ static void serverConnectionsOpen(void) { - clientHttpConnectionsOpen(); + clientOpenListenSockets(); icpConnectionsOpen(); #if USE_HTCP htcpInit(); @@ -518,10 +518,6 @@ } #if USE_WCCP wccpInit(); -#endif -#if USE_SSL - if (Config.Sockaddr.https) - sslInit(Config.SSL.certificate, Config.SSL.key); #endif serverConnectionsOpen(); if (theOutIcpConnection >= 0) { Index: squid/src/protos.h diff -u squid/src/protos.h:1.24 squid/src/protos.h:1.24.2.1 --- squid/src/protos.h:1.24 Fri Apr 13 17:31:02 2001 +++ squid/src/protos.h Wed Apr 18 10:10:10 2001 @@ -129,7 +129,7 @@ extern char *clientConstructTraceEcho(clientHttpRequest *); extern void clientPurgeRequest(clientHttpRequest *); extern int checkNegativeHit(StoreEntry *); -extern void clientHttpConnectionsOpen(void); +extern void clientOpenListenSockets(void); extern void clientHttpConnectionsClose(void); extern StoreEntry *clientCreateStoreEntry(clientHttpRequest *, method_t, request_flags); extern int isTcpHit(log_type); Index: squid/src/ssl_support.c diff -u squid/src/ssl_support.c:1.2 squid/src/ssl_support.c:1.2.8.1 --- squid/src/ssl_support.c:1.2 Sat Apr 14 11:24:56 2001 +++ squid/src/ssl_support.c Wed Apr 18 09:57:02 2001 @@ -42,8 +42,6 @@ void clientReadSSLRequest(int fd, void *data); void connFreeSSL(int fd, void *data); -SSL_CTX *sslContext = NULL; -SSL **ssl_table = NULL; static RSA * ssl_temp_rsa_cb(SSL * ssl, int export, int keylen) @@ -90,13 +88,18 @@ return ok; } -void -sslInit(const char *certfile, const char *keyfile) +SSL_CTX * +sslLoadCert(const char *certfile, const char *keyfile) { int ssl_error; SSL_METHOD *method; - SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); + SSL_CTX *sslContext; + static int ssl_initialized = 0; + if (!ssl_initialized) { + ssl_initialized = 1; + SSL_load_error_strings(); + SSLeay_add_ssl_algorithms(); + } if (!keyfile) keyfile = certfile; @@ -163,8 +166,7 @@ } debug(81, 9) ("Set client certifying authority list.\n"); SSL_CTX_set_client_CA_list(sslContext, SSL_load_client_CA_file(certfile)); - - ssl_table = xcalloc(Squid_MaxFD, sizeof(SSL *)); + return sslContext; } int Index: squid/src/ssl_support.h diff -u squid/src/ssl_support.h:1.2 squid/src/ssl_support.h:1.2.8.1 --- squid/src/ssl_support.h:1.2 Sat Apr 14 11:24:56 2001 +++ squid/src/ssl_support.h Wed Apr 18 09:57:02 2001 @@ -43,9 +43,7 @@ #include #endif -extern SSL_CTX *sslContext; - -void sslInit(const char *certfile, const char *keyfile); +SSL_CTX * sslLoadCert(const char *certfile, const char *keyfile); int ssl_read_method(int, char *, int); int ssl_write_method(int, const char *, int); Index: squid/src/structs.h diff -u squid/src/structs.h:1.31 squid/src/structs.h:1.30.2.3 --- squid/src/structs.h:1.31 Fri Apr 20 13:13:52 2001 +++ squid/src/structs.h Fri Apr 20 13:19:49 2001 @@ -292,6 +292,14 @@ sockaddr_in_list *next; }; +#if USE_SSL +struct _https_port_list { + https_port_list *next; + struct sockaddr_in s; + char *cert; + char *key; +}; +#endif #if DELAY_POOLS struct _delaySpec { @@ -382,7 +390,7 @@ struct { sockaddr_in_list *http; #if USE_SSL - sockaddr_in_list *https; + https_port_list *https; #endif } Sockaddr; #if SQUID_SNMP Index: squid/src/typedefs.h diff -u squid/src/typedefs.h:1.19 squid/src/typedefs.h:1.18.2.2 --- squid/src/typedefs.h:1.19 Fri Apr 20 13:13:52 2001 +++ squid/src/typedefs.h Fri Apr 20 13:19:49 2001 @@ -80,6 +80,7 @@ typedef struct _ushortlist ushortlist; typedef struct _relist relist; typedef struct _sockaddr_in_list sockaddr_in_list; +typedef struct _https_port_list https_port_list; typedef struct _SquidConfig SquidConfig; typedef struct _SquidConfig2 SquidConfig2; typedef struct _close_handler close_handler; squid-ssl-20010504-HEAD-20010504.new squid-ssl-20010504-HEAD-20010504 differ: char 80, line 2