commit a9f7bd7faf065f4d958da0527e94dd8e910c6feb
parent c93a8f3b40741cc0a0b20eaf2aa45f44dbf68596
Author: Joris Vink <joris@coders.se>
Date: Fri, 18 Feb 2022 10:20:28 +0100
rename ssl prefixed things to tls.
Diffstat:
8 files changed, 81 insertions(+), 78 deletions(-)
diff --git a/include/kore/kore.h b/include/kore/kore.h
@@ -214,10 +214,11 @@ struct connection {
u_int8_t state;
u_int8_t proto;
struct listener *owner;
- void *ssl;
- void *cert;
+ void *tls;
+ void *tls_cert;
char *tls_sni;
int tls_reneg;
+
u_int16_t flags;
void *hdlr_extra;
diff --git a/src/accesslog.c b/src/accesslog.c
@@ -111,7 +111,7 @@ kore_accesslog(struct http_request *req)
cn = "-";
cn_value = NULL;
- if (req->owner->cert != NULL) {
+ if (req->owner->tls_cert != NULL) {
if (kore_x509_subject_name(req->owner, &cn_value,
KORE_X509_COMMON_NAME_ONLY))
cn = cn_value;
diff --git a/src/connection.c b/src/connection.c
@@ -61,15 +61,17 @@ kore_connection_new(void *owner)
c = kore_pool_get(&connection_pool);
- c->ssl = NULL;
- c->cert = NULL;
c->flags = 0;
c->rnb = NULL;
c->snb = NULL;
c->owner = owner;
c->handle = NULL;
+
+ c->tls = NULL;
+ c->tls_cert = NULL;
c->tls_reneg = 0;
c->tls_sni = NULL;
+
c->disconnect = NULL;
c->hdlr_extra = NULL;
c->proto = CONN_PROTO_UNKNOWN;
diff --git a/src/http.c b/src/http.c
@@ -1982,7 +1982,7 @@ http_request_new(struct connection *c, const char *host,
return (NULL);
}
- if (dom->cafile != NULL && c->cert == NULL) {
+ if (dom->cafile != NULL && c->tls_cert == NULL) {
http_error_response(c, HTTP_STATUS_FORBIDDEN);
return (NULL);
}
@@ -2485,7 +2485,7 @@ http_response_normal(struct http_request *req, struct connection *c,
}
}
- if (c->ssl && http_hsts_enable) {
+ if (c->tls && http_hsts_enable) {
kore_buf_appendf(header_buf, "strict-transport-security: ");
kore_buf_appendf(header_buf,
"max-age=%" PRIu64 "; includeSubDomains\r\n",
diff --git a/src/python.c b/src/python.c
@@ -2916,7 +2916,7 @@ pyconnection_get_peer_x509(struct pyconnection *pyc, void *closure)
u_int8_t *der;
PyObject *bytes;
- if (pyc->c->cert == NULL) {
+ if (pyc->c->tls_cert == NULL) {
Py_RETURN_NONE;
}
@@ -2942,7 +2942,7 @@ pyconnection_get_peer_x509dict(struct pyconnection *pyc, void *closure)
issuer = NULL;
subject = NULL;
- if (pyc->c->cert == NULL) {
+ if (pyc->c->tls_cert == NULL) {
Py_RETURN_NONE;
}
@@ -2963,7 +2963,7 @@ pyconnection_get_peer_x509dict(struct pyconnection *pyc, void *closure)
PyErr_Clear();
- if ((name = kore_tls_x509_subject_name(pyc->c->cert)) == NULL) {
+ if ((name = kore_tls_x509_subject_name(pyc->c)) == NULL) {
PyErr_Format(PyExc_RuntimeError,
"failed to obtain x509 subjectName");
goto out;
@@ -2977,7 +2977,7 @@ pyconnection_get_peer_x509dict(struct pyconnection *pyc, void *closure)
goto out;
}
- if ((name = kore_tls_x509_issuer_name(pyc->c->cert)) == NULL) {
+ if ((name = kore_tls_x509_issuer_name(pyc->c)) == NULL) {
PyErr_Format(PyExc_RuntimeError,
"failed to obtain x509 issuerName");
goto out;
diff --git a/src/tls_openssl.c b/src/tls_openssl.c
@@ -209,30 +209,30 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
kore_debug("kore_domain_tlsinit(%s)", dom->domain);
- if (dom->ssl_ctx != NULL)
- SSL_CTX_free(dom->ssl_ctx);
+ if (dom->tls_ctx != NULL)
+ SSL_CTX_free(dom->tls_ctx);
if ((method = TLS_method()) == NULL)
fatalx("TLS_method(): %s", ssl_errno_s);
- if ((dom->ssl_ctx = SSL_CTX_new(method)) == NULL)
+ if ((dom->tls_ctx = SSL_CTX_new(method)) == NULL)
fatalx("SSL_ctx_new(): %s", ssl_errno_s);
- if (!SSL_CTX_set_min_proto_version(dom->ssl_ctx, TLS1_2_VERSION))
+ if (!SSL_CTX_set_min_proto_version(dom->tls_ctx, TLS1_2_VERSION))
fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s);
#if defined(TLS1_3_VERSION)
- if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, TLS1_3_VERSION))
+ if (!SSL_CTX_set_max_proto_version(dom->tls_ctx, TLS1_3_VERSION))
fatalx("SSL_CTX_set_max_proto_version: %s", ssl_errno_s);
#else
- if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, TLS1_2_VERSION))
+ if (!SSL_CTX_set_max_proto_version(dom->tls_ctx, TLS1_2_VERSION))
fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s);
#endif
switch (tls_version) {
case KORE_TLS_VERSION_1_3:
#if defined(TLS1_3_VERSION)
- if (!SSL_CTX_set_min_proto_version(dom->ssl_ctx,
+ if (!SSL_CTX_set_min_proto_version(dom->tls_ctx,
TLS1_3_VERSION)) {
fatalx("SSL_CTX_set_min_proto_version: %s",
ssl_errno_s);
@@ -240,7 +240,7 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
break;
#endif
case KORE_TLS_VERSION_1_2:
- if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx,
+ if (!SSL_CTX_set_max_proto_version(dom->tls_ctx,
TLS1_2_VERSION)) {
fatalx("SSL_CTX_set_min_proto_version: %s",
ssl_errno_s);
@@ -255,14 +255,14 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
switch (type) {
case KORE_PEM_CERT_CHAIN:
- x509 = tls_domain_load_certificate_chain(dom->ssl_ctx,
+ x509 = tls_domain_load_certificate_chain(dom->tls_ctx,
data, datalen);
break;
case KORE_DER_CERT_DATA:
ptr = data;
if ((x509 = d2i_X509(NULL, &ptr, datalen)) == NULL)
fatalx("d2i_X509: %s", ssl_errno_s);
- if (SSL_CTX_use_certificate(dom->ssl_ctx, x509) == 0)
+ if (SSL_CTX_use_certificate(dom->tls_ctx, x509) == 0)
fatalx("SSL_CTX_use_certificate: %s", ssl_errno_s);
break;
default:
@@ -272,8 +272,8 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
if (x509 == NULL) {
kore_log(LOG_NOTICE, "failed to load certificate for '%s': %s",
dom->domain, ssl_errno_s);
- SSL_CTX_free(dom->ssl_ctx);
- dom->ssl_ctx = NULL;
+ SSL_CTX_free(dom->tls_ctx);
+ dom->tls_ctx = NULL;
return;
}
@@ -297,10 +297,10 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
fatalx("unknown public key in certificate");
}
- if (!SSL_CTX_use_PrivateKey(dom->ssl_ctx, pkey))
+ if (!SSL_CTX_use_PrivateKey(dom->tls_ctx, pkey))
fatalx("SSL_CTX_use_PrivateKey(): %s", ssl_errno_s);
- if (!SSL_CTX_check_private_key(dom->ssl_ctx)) {
+ if (!SSL_CTX_check_private_key(dom->tls_ctx)) {
fatalx("Public/Private key for %s do not match (%s)",
dom->domain, ssl_errno_s);
}
@@ -308,14 +308,14 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
if (dh_params == NULL)
fatal("no DH parameters specified");
- SSL_CTX_set_tmp_dh(dom->ssl_ctx, dh_params);
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
+ SSL_CTX_set_tmp_dh(dom->tls_ctx, dh_params);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_SINGLE_DH_USE);
- if (!SSL_CTX_set_ecdh_auto(dom->ssl_ctx, 1))
+ if (!SSL_CTX_set_ecdh_auto(dom->tls_ctx, 1))
fatalx("SSL_CTX_set_ecdh_auto: %s", ssl_errno_s);
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_COMPRESSION);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_COMPRESSION);
if (dom->cafile != NULL) {
if ((certs = SSL_load_client_CA_file(dom->cafile)) == NULL) {
@@ -323,32 +323,32 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
dom->cafile, ssl_errno_s);
}
- SSL_CTX_load_verify_locations(dom->ssl_ctx, dom->cafile, NULL);
- SSL_CTX_set_verify_depth(dom->ssl_ctx, dom->x509_verify_depth);
- SSL_CTX_set_client_CA_list(dom->ssl_ctx, certs);
- SSL_CTX_set_verify(dom->ssl_ctx, SSL_VERIFY_PEER |
+ SSL_CTX_load_verify_locations(dom->tls_ctx, dom->cafile, NULL);
+ SSL_CTX_set_verify_depth(dom->tls_ctx, dom->x509_verify_depth);
+ SSL_CTX_set_client_CA_list(dom->tls_ctx, certs);
+ SSL_CTX_set_verify(dom->tls_ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, tls_domain_x509_verify);
}
- SSL_CTX_set_session_id_context(dom->ssl_ctx,
+ SSL_CTX_set_session_id_context(dom->tls_ctx,
(unsigned char *)TLS_SESSION_ID, strlen(TLS_SESSION_ID));
- SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+ SSL_CTX_set_mode(dom->tls_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
if (tls_version == KORE_TLS_VERSION_BOTH) {
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2);
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv3);
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_TLSv1);
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_TLSv1_1);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_TLSv1_1);
}
- SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
- SSL_CTX_set_cipher_list(dom->ssl_ctx, tls_cipher_list);
+ SSL_CTX_set_options(dom->tls_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ SSL_CTX_set_cipher_list(dom->tls_ctx, tls_cipher_list);
- SSL_CTX_set_info_callback(dom->ssl_ctx, tls_info_callback);
- SSL_CTX_set_tlsext_servername_callback(dom->ssl_ctx, tls_sni_cb);
+ SSL_CTX_set_info_callback(dom->tls_ctx, tls_info_callback);
+ SSL_CTX_set_tlsext_servername_callback(dom->tls_ctx, tls_sni_cb);
#if defined(KORE_USE_ACME)
- SSL_CTX_set_alpn_select_cb(dom->ssl_ctx, tls_acme_alpn, dom);
+ SSL_CTX_set_alpn_select_cb(dom->tls_ctx, tls_acme_alpn, dom);
#endif
X509_free(x509);
@@ -365,7 +365,7 @@ kore_tls_domain_crl(struct kore_domain *dom, const void *pem, size_t pemlen)
ERR_clear_error();
in = BIO_new_mem_buf(pem, pemlen);
- if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL) {
+ if ((store = SSL_CTX_get_cert_store(dom->tls_ctx)) == NULL) {
BIO_free(in);
kore_log(LOG_ERR, "SSL_CTX_get_cert_store(): %s", ssl_errno_s);
return;
@@ -408,8 +408,8 @@ kore_tls_domain_crl(struct kore_domain *dom, const void *pem, size_t pemlen)
void
kore_tls_domain_cleanup(struct kore_domain *dom)
{
- if (dom->ssl_ctx != NULL)
- SSL_CTX_free(dom->ssl_ctx);
+ if (dom->tls_ctx != NULL)
+ SSL_CTX_free(dom->tls_ctx);
}
int
@@ -423,22 +423,22 @@ kore_tls_connection_accept(struct connection *c)
return (KORE_RESULT_ERROR);
}
- if (primary_dom->ssl_ctx == NULL) {
+ if (primary_dom->tls_ctx == NULL) {
kore_log(LOG_NOTICE,
"TLS configuration for %s not yet complete",
primary_dom->domain);
return (KORE_RESULT_ERROR);
}
- if (c->ssl == NULL) {
- c->ssl = SSL_new(primary_dom->ssl_ctx);
- if (c->ssl == NULL)
+ if (c->tls == NULL) {
+ c->tls = SSL_new(primary_dom->tls_ctx);
+ if (c->tls == NULL)
return (KORE_RESULT_ERROR);
- SSL_set_fd(c->ssl, c->fd);
- SSL_set_accept_state(c->ssl);
+ SSL_set_fd(c->tls, c->fd);
+ SSL_set_accept_state(c->tls);
- if (!SSL_set_ex_data(c->ssl, 0, c))
+ if (!SSL_set_ex_data(c->tls, 0, c))
return (KORE_RESULT_ERROR);
if (primary_dom->cafile != NULL)
@@ -446,9 +446,9 @@ kore_tls_connection_accept(struct connection *c)
}
ERR_clear_error();
- r = SSL_accept(c->ssl);
+ r = SSL_accept(c->tls);
if (r <= 0) {
- r = SSL_get_error(c->ssl, r);
+ r = SSL_get_error(c->tls, r);
switch (r) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
@@ -471,14 +471,14 @@ kore_tls_connection_accept(struct connection *c)
}
#endif
- if (SSL_get_verify_mode(c->ssl) & SSL_VERIFY_PEER) {
- c->cert = SSL_get_peer_certificate(c->ssl);
- if (c->cert == NULL) {
+ if (SSL_get_verify_mode(c->tls) & SSL_VERIFY_PEER) {
+ c->tls_cert = SSL_get_peer_certificate(c->tls);
+ if (c->tls_cert == NULL) {
kore_log(LOG_NOTICE, "no peer certificate");
return (KORE_RESULT_ERROR);
}
} else {
- c->cert = NULL;
+ c->tls_cert = NULL;
}
return (KORE_RESULT_OK);
@@ -490,14 +490,14 @@ kore_tls_read(struct connection *c, size_t *bytes)
int r;
ERR_clear_error();
- r = SSL_read(c->ssl, (c->rnb->buf + c->rnb->s_off),
+ r = SSL_read(c->tls, (c->rnb->buf + c->rnb->s_off),
(c->rnb->b_len - c->rnb->s_off));
if (c->tls_reneg > 1)
return (KORE_RESULT_ERROR);
if (r <= 0) {
- r = SSL_get_error(c->ssl, r);
+ r = SSL_get_error(c->tls, r);
switch (r) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
@@ -542,12 +542,12 @@ kore_tls_write(struct connection *c, size_t len, size_t *written)
return (KORE_RESULT_ERROR);
ERR_clear_error();
- r = SSL_write(c->ssl, (c->snb->buf + c->snb->s_off), len);
+ r = SSL_write(c->tls, (c->snb->buf + c->snb->s_off), len);
if (c->tls_reneg > 1)
return (KORE_RESULT_ERROR);
if (r <= 0) {
- r = SSL_get_error(c->ssl, r);
+ r = SSL_get_error(c->tls, r);
switch (r) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
@@ -585,13 +585,13 @@ kore_tls_write(struct connection *c, size_t len, size_t *written)
void
kore_tls_connection_cleanup(struct connection *c)
{
- if (c->ssl != NULL) {
- SSL_shutdown(c->ssl);
- SSL_free(c->ssl);
+ if (c->tls != NULL) {
+ SSL_shutdown(c->tls);
+ SSL_free(c->tls);
}
- if (c->cert != NULL)
- X509_free(c->cert);
+ if (c->tls_cert != NULL)
+ X509_free(c->tls_cert);
if (c->tls_sni != NULL)
kore_free(c->tls_sni);
@@ -656,7 +656,7 @@ kore_tls_x509_subject_name(struct connection *c)
{
X509_NAME *name;
- if ((name = X509_get_subject_name(c->cert)) == NULL)
+ if ((name = X509_get_subject_name(c->tls_cert)) == NULL)
kore_log(LOG_NOTICE, "X509_get_subject_name: %s", ssl_errno_s);
return (name);
@@ -667,7 +667,7 @@ kore_tls_x509_issuer_name(struct connection *c)
{
X509_NAME *name;
- if ((name = X509_get_issuer_name(c->cert)) == NULL)
+ if ((name = X509_get_issuer_name(c->tls_cert)) == NULL)
kore_log(LOG_NOTICE, "X509_get_issuer_name: %s", ssl_errno_s);
return (name);
@@ -740,7 +740,7 @@ kore_tls_x509_data(struct connection *c, u_int8_t **ptr, size_t *olen)
int len;
u_int8_t *der, *pp;
- if ((len = i2d_X509(c->cert, NULL)) <= 0) {
+ if ((len = i2d_X509(c->tls_cert, NULL)) <= 0) {
kore_log(LOG_NOTICE, "i2d_X509: %s", ssl_errno_s);
return (KORE_RESULT_ERROR);
}
@@ -748,7 +748,7 @@ kore_tls_x509_data(struct connection *c, u_int8_t **ptr, size_t *olen)
der = kore_calloc(1, len);
pp = der;
- if (i2d_X509(c->cert, &pp) <= 0) {
+ if (i2d_X509(c->tls_cert, &pp) <= 0) {
kore_free(der);
kore_log(LOG_NOTICE, "i2d_X509: %s", ssl_errno_s);
return (KORE_RESULT_ERROR);
@@ -801,7 +801,7 @@ tls_sni_cb(SSL *ssl, int *ad, void *arg)
if (sname != NULL &&
(dom = kore_domain_lookup(c->owner->server, sname)) != NULL) {
- if (dom->ssl_ctx == NULL) {
+ if (dom->tls_ctx == NULL) {
kore_log(LOG_NOTICE,
"TLS configuration for %s not complete",
dom->domain);
@@ -809,7 +809,7 @@ tls_sni_cb(SSL *ssl, int *ad, void *arg)
}
kore_debug("kore_ssl_sni_cb(): Using %s CTX", sname);
- SSL_set_SSL_CTX(ssl, dom->ssl_ctx);
+ SSL_set_SSL_CTX(ssl, dom->tls_ctx);
if (dom->cafile != NULL) {
SSL_set_verify(ssl, SSL_VERIFY_PEER |
diff --git a/src/utils.c b/src/utils.c
@@ -497,7 +497,7 @@ kore_x509_issuer_name(struct connection *c, char **out, int flags)
struct kore_buf buf;
void *name;
- if ((name = kore_tls_x509_issuer_name(c->cert)) == NULL)
+ if ((name = kore_tls_x509_issuer_name(c)) == NULL)
return (KORE_RESULT_ERROR);
kore_buf_init(&buf, 1024);
diff --git a/src/worker.c b/src/worker.c
@@ -1059,7 +1059,7 @@ worker_keymgr_response(struct kore_msg *msg, const void *data)
break;
#if defined(KORE_USE_ACME)
case KORE_ACME_CHALLENGE_SET_CERT:
- if (dom->ssl_ctx == NULL) {
+ if (dom->tls_ctx == NULL) {
kore_tls_domain_setup(dom, KORE_DER_CERT_DATA,
req->data, req->data_len);
}
