diff --git a/include/maxscale/listener.hh b/include/maxscale/listener.hh index 044ea17e5..e0daac598 100644 --- a/include/maxscale/listener.hh +++ b/include/maxscale/listener.hh @@ -143,11 +143,6 @@ public: */ const char* state() const; - /** - * The mxs::SSLContext object - */ - mxs::SSLContext* ssl_context() const; - /** * Convert to JSON * @@ -191,6 +186,16 @@ public: struct users* users() const; void set_users(struct users* u); + const mxs::SSLProvider& ssl() const + { + return m_ssl_provider; + } + + mxs::SSLProvider& ssl() + { + return m_ssl_provider; + } + private: enum State { @@ -210,14 +215,13 @@ private: std::string m_auth_options; /**< Authenticator options */ void* m_auth_instance; /**< Authenticator instance */ - std::unique_ptr m_ssl_context; /**< SSL context */ - struct users* m_users; /**< The user data for this listener */ SERVICE* m_service; /**< The service which used by this listener */ std::atomic m_active; /**< True if the port has not been deleted */ MXS_PROTOCOL m_proto_func; /**< Preloaded protocol functions */ MXS_AUTHENTICATOR m_auth_func; /**< Preloaded authenticator functions */ MXS_CONFIG_PARAMETER m_params; /**< Configuration parameters */ + mxs::SSLProvider m_ssl_provider; Type m_type; /**< The type of the listener */ diff --git a/include/maxscale/server.hh b/include/maxscale/server.hh index 61208c252..b2d8c7340 100644 --- a/include/maxscale/server.hh +++ b/include/maxscale/server.hh @@ -517,26 +517,20 @@ public: */ void response_time_add(double ave, int num_samples); - const mxs::SSLConfig& ssl_config() const + const mxs::SSLProvider& ssl() const { - return m_ssl_config; + return m_ssl_provider; } - mxs::SSLContext* ssl_context() const + mxs::SSLProvider& ssl() { - return m_ssl_context.get(); - } - - void set_ssl_context(std::unique_ptr ssl) - { - m_ssl_context.swap(ssl); - m_ssl_config = m_ssl_context->config(); + return m_ssl_provider; } protected: SERVER(std::unique_ptr ssl_context) : m_response_time{0.04, 0.35, 500} - , m_ssl_context{std::move(ssl_context)} + , m_ssl_provider{std::move(ssl_context)} { } @@ -544,7 +538,5 @@ private: static const int DEFAULT_CHARSET = 0x08; /**< The latin1 charset */ maxbase::EMAverage m_response_time; /**< Response time calculations for this server */ std::mutex m_average_write_mutex; /**< Protects response time from concurrent writing */ - - std::unique_ptr m_ssl_context; /**< SSL context */ - mxs::SSLConfig m_ssl_config; /**< SSL configuration */ + mxs::SSLProvider m_ssl_provider; }; diff --git a/server/core/config_runtime.cc b/server/core/config_runtime.cc index 80b733428..84295867c 100644 --- a/server/core/config_runtime.cc +++ b/server/core/config_runtime.cc @@ -434,7 +434,7 @@ bool runtime_enable_server_ssl(Server* server, { bool rval = false; - if (server->ssl_context()) + if (server->ssl().context()) { config_runtime_error("Server '%s' already configured to use SSL.", server->name()); } @@ -446,7 +446,7 @@ bool runtime_enable_server_ssl(Server* server, if (ssl) { - server->set_ssl_context(std::move(ssl)); + server->ssl().set_context(std::move(ssl)); if (server->serialize()) { @@ -1903,7 +1903,7 @@ static bool validate_ssl_json(json_t* params, object_type type) static bool process_ssl_parameters(Server* server, json_t* params) { - mxb_assert(server->ssl_context() == NULL); + mxb_assert(server->ssl().context() == NULL); bool rval = true; if (have_ssl_json(params)) diff --git a/server/core/dcb.cc b/server/core/dcb.cc index 4c396b93c..92ac5ce1a 100644 --- a/server/core/dcb.cc +++ b/server/core/dcb.cc @@ -2150,8 +2150,8 @@ static int dcb_create_SSL(DCB* dcb, mxs::SSLContext* ssl) */ int dcb_accept_SSL(DCB* dcb) { - if (!dcb->session->listener->ssl_context() - || (!dcb->ssl && dcb_create_SSL(dcb, dcb->session->listener->ssl_context()) != 0)) + if (!dcb->session->listener->ssl().context() + || (!dcb->ssl && dcb_create_SSL(dcb, dcb->session->listener->ssl().context()) != 0)) { return -1; } @@ -2227,10 +2227,10 @@ int dcb_connect_SSL(DCB* dcb) int ssl_rval; int return_code; - if ((NULL == dcb->server || NULL == dcb->server->ssl_context()) - || (NULL == dcb->ssl && dcb_create_SSL(dcb, dcb->server->ssl_context()) != 0)) + if ((NULL == dcb->server || NULL == dcb->server->ssl().context()) + || (NULL == dcb->ssl && dcb_create_SSL(dcb, dcb->server->ssl().context()) != 0)) { - mxb_assert((NULL != dcb->server) && (NULL != dcb->server->ssl_context())); + mxb_assert((NULL != dcb->server) && (NULL != dcb->server->ssl().context())); return -1; } dcb->ssl_state = SSL_HANDSHAKE_REQUIRED; diff --git a/server/core/listener.cc b/server/core/listener.cc index a32935dcb..44440a3f3 100644 --- a/server/core/listener.cc +++ b/server/core/listener.cc @@ -116,12 +116,12 @@ Listener::Listener(SERVICE* service, , m_authenticator(authenticator) , m_auth_options(auth_opts) , m_auth_instance(auth_instance) - , m_ssl_context(std::move(ssl)) , m_users(nullptr) , m_service(service) , m_proto_func(*(MXS_PROTOCOL*)load_module(protocol.c_str(), MODULE_PROTOCOL)) , m_auth_func(*(MXS_AUTHENTICATOR*)load_module(authenticator.c_str(), MODULE_AUTHENTICATOR)) , m_params(params) + , m_ssl_provider(std::move(ssl)) { if (strcasecmp(service->router_name(), "cli") == 0 || strcasecmp(service->router_name(), "maxinfo") == 0) { @@ -476,9 +476,9 @@ bool Listener::create_listener_config(const char* filename) dprintf(file, "authenticator_options=%s\n", m_auth_options.c_str()); } - if (m_ssl_context) + if (ssl().context()) { - dprintf(file, "%s", m_ssl_context->serialize().c_str()); + dprintf(file, "%s", ssl().context()->serialize().c_str()); } ::close(file); @@ -606,11 +606,6 @@ void* Listener::auth_instance() const return m_auth_instance; } -mxs::SSLContext* Listener::ssl_context() const -{ - return m_ssl_context.get(); -} - const char* Listener::state() const { switch (m_state) diff --git a/server/core/mysql_utils.cc b/server/core/mysql_utils.cc index 6b8faf791..e19e4b90c 100644 --- a/server/core/mysql_utils.cc +++ b/server/core/mysql_utils.cc @@ -155,7 +155,7 @@ char* mxs_lestr_consume(uint8_t** c, size_t* size) MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd) { - auto ssl = server->ssl_config(); + auto ssl = server->ssl().config(); if (!ssl.empty()) { diff --git a/server/core/server.cc b/server/core/server.cc index 7bd375af5..b0e2d0a80 100644 --- a/server/core/server.cc +++ b/server/core/server.cc @@ -524,9 +524,9 @@ void Server::print_to_dcb(DCB* dcb) const + server->stats.n_from_pool + 1); dcb_printf(dcb, "\tPool availability: %0.2lf%%\n", d * 100.0); } - if (server->ssl_context()) + if (server->ssl().context()) { - dcb_printf(dcb, "%s", server->ssl_context()->to_string().c_str()); + dcb_printf(dcb, "%s", server->ssl().context()->to_string().c_str()); } if (server->proxy_protocol) { diff --git a/server/modules/authenticator/GSSAPI/GSSAPIBackendAuth/gssapi_backend_auth.cc b/server/modules/authenticator/GSSAPI/GSSAPIBackendAuth/gssapi_backend_auth.cc index 0026ae58e..1cf68891a 100644 --- a/server/modules/authenticator/GSSAPI/GSSAPIBackendAuth/gssapi_backend_auth.cc +++ b/server/modules/authenticator/GSSAPI/GSSAPIBackendAuth/gssapi_backend_auth.cc @@ -191,7 +191,7 @@ static bool gssapi_backend_auth_extract(DCB* dcb, GWBUF* buffer) */ static bool gssapi_backend_auth_connectssl(DCB* dcb) { - return dcb->server->ssl_context() != NULL; + return dcb->server->ssl().context() != NULL; } /** diff --git a/server/modules/authenticator/MariaDBBackendAuth/mysql_backend_auth.cc b/server/modules/authenticator/MariaDBBackendAuth/mysql_backend_auth.cc index 8fa6ea897..6722f9ccc 100644 --- a/server/modules/authenticator/MariaDBBackendAuth/mysql_backend_auth.cc +++ b/server/modules/authenticator/MariaDBBackendAuth/mysql_backend_auth.cc @@ -140,7 +140,7 @@ static int auth_backend_authenticate(DCB* dcb) */ static bool auth_backend_ssl(DCB* dcb) { - return dcb->server->ssl_context() != NULL; + return dcb->server->ssl().context() != NULL; } extern "C" diff --git a/server/modules/authenticator/PAM/PAMBackendAuth/pam_backend_auth.cc b/server/modules/authenticator/PAM/PAMBackendAuth/pam_backend_auth.cc index 68c7819de..c02ebbe22 100644 --- a/server/modules/authenticator/PAM/PAMBackendAuth/pam_backend_auth.cc +++ b/server/modules/authenticator/PAM/PAMBackendAuth/pam_backend_auth.cc @@ -52,7 +52,7 @@ static bool pam_backend_auth_extract(DCB* dcb, GWBUF* buffer) */ static bool pam_backend_auth_connectssl(DCB* dcb) { - return dcb->server->ssl_context(); + return dcb->server->ssl().context(); } /** diff --git a/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc b/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc index ffa699ba4..952d38285 100644 --- a/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc +++ b/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc @@ -242,7 +242,7 @@ std::string get_version_string(SERVICE* service) bool ssl_required_by_dcb(DCB* dcb) { mxb_assert(dcb->session->listener); - return dcb->session->listener->ssl_context(); + return dcb->session->listener->ssl().context(); } /** @@ -716,7 +716,7 @@ static void check_packet(DCB* dcb, GWBUF* buf, int bytes) if (bytes == MYSQL_AUTH_PACKET_BASE_SIZE) { /** This is an SSL request packet */ - mxb_assert(dcb->session->listener->ssl_context()); + mxb_assert(dcb->session->listener->ssl().context()); mxb_assert(buflen == bytes && pktlen >= buflen); } else @@ -743,7 +743,7 @@ bool ssl_is_connection_healthy(DCB* dcb) * then everything is as we wish. Otherwise, either there is a problem or * more to be done. */ - return !dcb->session->listener->ssl_context() || dcb->ssl_state == SSL_ESTABLISHED; + return !dcb->session->listener->ssl().context() || dcb->ssl_state == SSL_ESTABLISHED; } /* Looks to be redundant - can remove include for ioctl too */ @@ -786,7 +786,7 @@ int ssl_authenticate_client(DCB* dcb, bool is_capable) const char* remote = dcb->remote ? dcb->remote : ""; const char* service = (dcb->service && dcb->service->name()) ? dcb->service->name() : ""; - if (!dcb->session->listener->ssl_context()) + if (!dcb->session->listener->ssl().context()) { /* Not an SSL connection on account of listener configuration */ return SSL_AUTH_CHECKS_OK; diff --git a/server/modules/protocol/MySQL/mysql_common.cc b/server/modules/protocol/MySQL/mysql_common.cc index 5e3cb40c4..ae30e575e 100644 --- a/server/modules/protocol/MySQL/mysql_common.cc +++ b/server/modules/protocol/MySQL/mysql_common.cc @@ -953,12 +953,12 @@ mxs_auth_state_t gw_send_backend_auth(DCB* dcb) if (dcb->session == NULL || (dcb->session->state != SESSION_STATE_CREATED && dcb->session->state != SESSION_STATE_STARTED) - || (dcb->server->ssl_context() && dcb->ssl_state == SSL_HANDSHAKE_FAILED)) + || (dcb->server->ssl().context() && dcb->ssl_state == SSL_HANDSHAKE_FAILED)) { return rval; } - bool with_ssl = dcb->server->ssl_context(); + bool with_ssl = dcb->server->ssl().context(); bool ssl_established = dcb->ssl_state == SSL_ESTABLISHED; MYSQL_session client; diff --git a/server/modules/routing/binlogrouter/blr.cc b/server/modules/routing/binlogrouter/blr.cc index 21e7b4a29..d8a81efd6 100644 --- a/server/modules/routing/binlogrouter/blr.cc +++ b/server/modules/routing/binlogrouter/blr.cc @@ -1477,7 +1477,7 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb) } /* SSL options */ - if (auto ssl = router_inst->service->dbref->server->ssl_context()) + if (auto ssl = router_inst->service->dbref->server->ssl().context()) { dcb_printf(dcb, "%s", ssl->to_string().c_str()); } @@ -1954,7 +1954,7 @@ static json_t* diagnostics_json(const MXS_ROUTER* router) min5 /= 5.0; /* SSL options */ - if (auto ssl = router_inst->service->dbref->server->ssl_context()) + if (auto ssl = router_inst->service->dbref->server->ssl().context()) { json_object_set_new(rval, "master_ssl", ssl->to_json()); } diff --git a/server/modules/routing/binlogrouter/blr_slave.cc b/server/modules/routing/binlogrouter/blr_slave.cc index a8088eb2a..8c991da29 100644 --- a/server/modules/routing/binlogrouter/blr_slave.cc +++ b/server/modules/routing/binlogrouter/blr_slave.cc @@ -4850,7 +4850,7 @@ static void blr_master_get_config(ROUTER_INSTANCE* router, MasterServerConfig* c curr_master->password = router->password; curr_master->filestem = router->fileroot; /* SSL options */ - auto server_ssl = router->service->dbref->server->ssl_config(); + auto server_ssl = router->service->dbref->server->ssl().config(); if (!server_ssl.empty()) { @@ -6354,7 +6354,7 @@ static int blr_set_master_ssl(ROUTER_INSTANCE* router, if (ssl) { updated = 1; - router->service->dbref->server->set_ssl_context(std::move(ssl)); + router->service->dbref->server->ssl().set_context(std::move(ssl)); /* Update options in router fields */ if (!config.ssl_key.empty())