Move ssl proto to its own file, but still needs more refactoring to decouple ssl from other protocols, especially tcp

Rename and clean up

protoautossl.c

@@ -28,6 +28,7 @@
 
 #include "protoautossl.h"
 #include "prototcp.h"
+#include "protossl.h"
 
 #include "pxysslshut.h"
 
@@ -73,7 +74,7 @@ protoautossl_peek_and_upgrade(pxy_conn_ctx_t *ctx)
 				log_dbg_printf("Peek found ClientHello\n");
 			}
 
-			ctx->srv_dst.ssl = pxy_dstssl_create(ctx);
+			ctx->srv_dst.ssl = protossl_dstssl_create(ctx);
 			if (!ctx->srv_dst.ssl) {
 				log_err_level_printf(LOG_CRIT, "Error creating SSL for upgrade\n");
 				// @todo Should we close the connection?
@@ -143,7 +144,7 @@ protoautossl_enable_src(pxy_conn_ctx_t *ctx)
 			log_dbg_printf("Completing autossl upgrade\n");
 		}
 		int rv;
-		if ((rv = pxy_setup_src_ssl(ctx)) != 0) {
+		if ((rv = protossl_setup_src(ctx)) != 0) {
 			return rv;
 		}
 		if (pxy_setup_new_src(ctx) == -1) {
@@ -392,7 +393,7 @@ protoautossl_bev_readcb_complete_child(pxy_conn_child_ctx_t *ctx)
 		log_dbg_printf("Completing autossl upgrade on child conn\n");
 	}
 
-	ctx->dst.ssl = pxy_dstssl_create(ctx->conn);
+	ctx->dst.ssl = protossl_dstssl_create(ctx->conn);
 	if (!ctx->dst.ssl) {
 		log_err_level_printf(LOG_CRIT, "protoautossl_bev_readcb_complete_child: Error creating SSL for upgrade\n");
 		ctx->conn->enomem = 1;
@@ -599,7 +600,7 @@ protoautossl_conn_connect(pxy_conn_ctx_t *ctx)
 	bufferevent_enable(ctx->dst.bev, EV_READ|EV_WRITE);
 
 	/* create server-side socket and eventbuffer */
-	if (pxy_setup_srv_dst_ssl(ctx) == -1) {
+	if (protossl_setup_srv_dst(ctx) == -1) {
 		return;
 	}
 	if (pxy_setup_srv_dst(ctx) == -1) {
@@ -630,7 +631,7 @@ protoautossl_connect_child(pxy_conn_child_ctx_t *ctx)
 	/* create server-side socket and eventbuffer */
 	// Children rely on the findings of parent
 	if (autossl_ctx->clienthello_found) {
-		ctx->dst.ssl = pxy_dstssl_create(ctx->conn);
+		ctx->dst.ssl = protossl_dstssl_create(ctx->conn);
 		if (!ctx->dst.ssl) {
 			log_err_level_printf(LOG_CRIT, "Error creating SSL\n");
 			// pxy_conn_free()>pxy_conn_free_child() will close the fd, since we have a non-NULL src.bev now

protohttp.c

@@ -27,6 +27,7 @@
  */
 
 #include "protohttp.h"
+#include "protossl.h"
 
 #include "util.h"
 #include "base64.h"
@@ -899,7 +900,7 @@ protohttps_setup(pxy_conn_ctx_t *ctx)
 
 	ctx->protoctx->fd_readcb = protossl_fd_readcb;
 	ctx->protoctx->bev_readcb = protohttp_bev_readcb;
-	ctx->protoctx->bufferevent_free_and_close_fd = bufferevent_free_and_close_fd_ssl;
+	ctx->protoctx->bufferevent_free_and_close_fd = protossl_bufferevent_free_and_close_fd;
 	ctx->protoctx->proto_free = protohttps_free;
 
 	ctx->protoctx->arg = malloc(sizeof(protohttp_ctx_t));
@@ -945,7 +946,7 @@ protohttps_setup_child(pxy_conn_child_ctx_t *ctx)
 
 	ctx->protoctx->connectcb = protossl_connect_child;
 	ctx->protoctx->bev_readcb = protohttp_bev_readcb_child;
-	ctx->protoctx->bufferevent_free_and_close_fd = bufferevent_free_and_close_fd_ssl;
+	ctx->protoctx->bufferevent_free_and_close_fd = protossl_bufferevent_free_and_close_fd;
 	ctx->protoctx->proto_free = protohttp_free_child;
 
 	ctx->protoctx->arg = malloc(sizeof(protohttp_ctx_t));

protopassthrough.c

@@ -28,6 +28,8 @@
 
 #include "protopassthrough.h"
 #include "prototcp.h"
+// XXX
+#include "protossl.h"
 
 #include <sys/param.h>
 
@@ -80,7 +82,7 @@ protopassthrough_bev_writecb_src(struct bufferevent *bev, void *arg)
 #endif /* DEBUG_PROXY */
 
 	if (ctx->srv_dst.closed) {
-		if (pxy_close_conn_end_ifnodata(&ctx->src, ctx, &bufferevent_free_and_close_fd_nonssl)) {
+		if (pxy_close_conn_end_ifnodata(&ctx->src, ctx, &prototcp_bufferevent_free_and_close_fd)) {
 #ifdef DEBUG_PROXY
 			log_dbg_level_printf(LOG_DBG_MODE_FINEST, "protopassthrough_bev_writecb_src: other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
@@ -102,7 +104,7 @@ protopassthrough_bev_writecb_srv_dst(struct bufferevent *bev, void *arg)
 	pxy_connect_srv_dst(bev, ctx);
 
 	if (ctx->src.closed) {
-		if (pxy_close_conn_end_ifnodata(&ctx->srv_dst, ctx, &bufferevent_free_and_close_fd_nonssl) == 1) {
+		if (pxy_close_conn_end_ifnodata(&ctx->srv_dst, ctx, &prototcp_bufferevent_free_and_close_fd) == 1) {
 #ifdef DEBUG_PROXY
 			log_dbg_level_printf(LOG_DBG_MODE_FINEST, "protopassthrough_bev_writecb_srv_dst: other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
@@ -221,7 +223,7 @@ protopassthrough_engage(pxy_conn_ctx_t *ctx)
 	// We get srv_dst writecb while ssl shutdown is still in progress, and srv_dst readcb never fires
 	//bufferevent_free_and_close_fd(ctx->srv_dst.bev, ctx);
 	SSL_free(ctx->srv_dst.ssl);
-	bufferevent_free_and_close_fd_nonssl(ctx->srv_dst.bev, ctx);
+	prototcp_bufferevent_free_and_close_fd(ctx->srv_dst.bev, ctx);
 	ctx->srv_dst.bev = NULL;
 	ctx->srv_dst.ssl = NULL;
 	ctx->connected = 0;
@@ -230,7 +232,7 @@ protopassthrough_engage(pxy_conn_ctx_t *ctx)
 	// Close and free dst if open
 	if (!ctx->dst.closed) {
 		ctx->dst.closed = 1;
-		bufferevent_free_and_close_fd_nonssl(ctx->dst.bev, ctx);
+		prototcp_bufferevent_free_and_close_fd(ctx->dst.bev, ctx);
 		ctx->dst.bev = NULL;
 		ctx->dst_fd = 0;
 	}
@@ -256,12 +258,12 @@ protopassthrough_bev_eventcb_eof_src(struct bufferevent *bev, pxy_conn_ctx_t *ct
 		log_dbg_level_printf(LOG_DBG_MODE_FINEST, "protopassthrough_bev_eventcb_eof_src: !other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
 		pxy_consume_last_input(bev, ctx);
-		pxy_close_conn_end_ifnodata(&ctx->srv_dst, ctx, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->srv_dst, ctx, &prototcp_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->src, &bufferevent_free_and_close_fd_nonssl, &ctx->srv_dst, 1);
+	pxy_disconnect(ctx, &ctx->src, &prototcp_bufferevent_free_and_close_fd, &ctx->srv_dst, 1);
 }
 
 static void
@@ -281,12 +283,12 @@ protopassthrough_bev_eventcb_eof_srv_dst(struct bufferevent *bev, pxy_conn_ctx_t
 		log_dbg_level_printf(LOG_DBG_MODE_FINEST, "protopassthrough_bev_eventcb_eof_srv_dst: !other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
 		pxy_consume_last_input(bev, ctx);
-		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &prototcp_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->srv_dst, &bufferevent_free_and_close_fd_nonssl, &ctx->src, 0);
+	pxy_disconnect(ctx, &ctx->srv_dst, &prototcp_bufferevent_free_and_close_fd, &ctx->src, 0);
 }
 
 static void
@@ -298,18 +300,19 @@ protopassthrough_bev_eventcb_error_src(struct bufferevent *bev, pxy_conn_ctx_t *
 #endif /* DEBUG_PROXY */
 
 	log_err_printf("protopassthrough_bev_eventcb_error_src: Client-side BEV_EVENT_ERROR\n");
-	pxy_log_err_ssl_error(bev, ctx);
+	// XXX
+	protossl_log_ssl_error(bev, ctx);
 	ctx->thr->errors++;
 
 	if (!ctx->connected) {
 		ctx->srv_dst.closed = 1;
 	} else if (!ctx->srv_dst.closed) {
-		pxy_close_conn_end_ifnodata(&ctx->srv_dst, ctx, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->srv_dst, ctx, &prototcp_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->src, &bufferevent_free_and_close_fd_nonssl, &ctx->srv_dst, 1);
+	pxy_disconnect(ctx, &ctx->src, &prototcp_bufferevent_free_and_close_fd, &ctx->srv_dst, 1);
 }
 
 static void
@@ -321,18 +324,19 @@ protopassthrough_bev_eventcb_error_srv_dst(struct bufferevent *bev, pxy_conn_ctx
 #endif /* DEBUG_PROXY */
 
 	log_err_printf("protopassthrough_bev_eventcb_error_srv_dst: Client-side BEV_EVENT_ERROR\n");
-	pxy_log_err_ssl_error(bev, ctx);
+	// XXX
+	protossl_log_ssl_error(bev, ctx);
 	ctx->thr->errors++;
 
 	if (!ctx->connected) {
 		ctx->src.closed = 1;
 	} else if (!ctx->src.closed) {
-		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &prototcp_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->srv_dst, &bufferevent_free_and_close_fd_nonssl, &ctx->src, 0);
+	pxy_disconnect(ctx, &ctx->srv_dst, &prototcp_bufferevent_free_and_close_fd, &ctx->src, 0);
 }
 
 void

protossl.h

@@ -0,0 +1,51 @@
+/*-
+ * SSLsplit - transparent SSL/TLS interception
+ * https://www.roe.ch/SSLsplit
+ *
+ * Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef PROTOSSL_H
+#define PROTOSSL_H
+
+#include "pxyconn.h"
+
+int protossl_log_masterkey(pxy_conn_ctx_t *, pxy_conn_desc_t *);
+void protossl_log_ssl_error(struct bufferevent *, pxy_conn_ctx_t *);
+
+void protossl_srccert_write(pxy_conn_ctx_t *);
+SSL *protossl_dstssl_create(pxy_conn_ctx_t *);
+int protossl_setup_src(pxy_conn_ctx_t *);
+int protossl_setup_srv_dst(pxy_conn_ctx_t *);
+
+void protossl_bufferevent_free_and_close_fd(struct bufferevent *, pxy_conn_ctx_t *);
+void protossl_fd_readcb(evutil_socket_t, short, void *);
+void protossl_connect_child(pxy_conn_child_ctx_t *);
+void protossl_free(pxy_conn_ctx_t *) NONNULL(1);
+
+enum protocol protossl_setup(pxy_conn_ctx_t *);
+enum protocol protossl_setup_child(pxy_conn_child_ctx_t *);
+
+#endif /* PROTOSSL_H */
+

prototcp.c

@@ -28,6 +28,8 @@
 
 #include "prototcp.h"
 #include "protopassthrough.h"
+// XXX
+#include "protossl.h"
 
 #include <sys/param.h>
 #include <event2/bufferevent_ssl.h>
@@ -66,7 +68,8 @@ prototcp_conn_connect(pxy_conn_ctx_t *ctx)
 	bufferevent_enable(ctx->dst.bev, EV_READ|EV_WRITE);
 
 	/* create server-side socket and eventbuffer */
-	if (pxy_setup_srv_dst_ssl(ctx) == -1) {
+	// XXX
+	if (protossl_setup_srv_dst(ctx) == -1) {
 		return;
 	}
 	if (pxy_setup_srv_dst(ctx) == -1) {
@@ -315,7 +318,7 @@ prototcp_bev_writecb_src(struct bufferevent *bev, void *arg)
 #endif /* DEBUG_PROXY */
 
 	if (ctx->dst.closed) {
-		if (pxy_close_conn_end_ifnodata(&ctx->src, ctx, &bufferevent_free_and_close_fd) == 1) {
+		if (pxy_close_conn_end_ifnodata(&ctx->src, ctx, &pxy_bufferevent_free_and_close_fd) == 1) {
 #ifdef DEBUG_PROXY
 			log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_writecb_src: other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
@@ -367,7 +370,7 @@ prototcp_bev_writecb_dst(struct bufferevent *bev, void *arg)
 	prototcp_connect_dst(bev, ctx);
 
 	if (ctx->src.closed) {
-		if (pxy_close_conn_end_ifnodata(&ctx->dst, ctx, &bufferevent_free_and_close_fd_nonssl) == 1) {
+		if (pxy_close_conn_end_ifnodata(&ctx->dst, ctx, &prototcp_bufferevent_free_and_close_fd) == 1) {
 #ifdef DEBUG_PROXY
 			log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_writecb_dst: other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
@@ -400,7 +403,7 @@ prototcp_bev_writecb_src_child(struct bufferevent *bev, void *arg)
 	ctx->conn->atime = time(NULL);
 
 	if (ctx->dst.closed) {
-		if (pxy_close_conn_end_ifnodata(&ctx->src, ctx->conn, &bufferevent_free_and_close_fd_nonssl) == 1) {
+		if (pxy_close_conn_end_ifnodata(&ctx->src, ctx->conn, &prototcp_bufferevent_free_and_close_fd) == 1) {
 #ifdef DEBUG_PROXY
 			log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_writecb_child_src: other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
@@ -425,7 +428,7 @@ prototcp_bev_writecb_dst_child(struct bufferevent *bev, void *arg)
 	prototcp_connect_dst_child(bev, ctx);
 
 	if (ctx->src.closed) {
-		if (pxy_close_conn_end_ifnodata(&ctx->dst, ctx->conn, &bufferevent_free_and_close_fd) == 1) {
+		if (pxy_close_conn_end_ifnodata(&ctx->dst, ctx->conn, &pxy_bufferevent_free_and_close_fd) == 1) {
 #ifdef DEBUG_PROXY
 			log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_writecb_child_dst: other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
@@ -442,9 +445,10 @@ prototcp_enable_src(pxy_conn_ctx_t *ctx)
 {
 	ctx->connected = 1;
 
+	// XXX
 	if (ctx->spec->ssl) {
 		int rv;
-		if ((rv = pxy_setup_src_ssl(ctx)) != 0) {
+		if ((rv = protossl_setup_src(ctx)) != 0) {
 			return rv;
 		}
 	}
@@ -553,12 +557,12 @@ prototcp_bev_eventcb_eof_src(struct bufferevent *bev, pxy_conn_ctx_t *ctx)
 		log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_eventcb_eof_src: !other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
 		pxy_consume_last_input(bev, ctx);
-		pxy_close_conn_end_ifnodata(&ctx->dst, ctx, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->dst, ctx, &prototcp_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->src, &bufferevent_free_and_close_fd, &ctx->dst, 1);
+	pxy_disconnect(ctx, &ctx->src, &pxy_bufferevent_free_and_close_fd, &ctx->dst, 1);
 }
 
 void
@@ -578,12 +582,12 @@ prototcp_bev_eventcb_eof_dst(struct bufferevent *bev, pxy_conn_ctx_t *ctx)
 		log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_eventcb_eof_dst: !other->closed, terminate conn, fd=%d\n", ctx->fd);
 #endif /* DEBUG_PROXY */
 		pxy_consume_last_input(bev, ctx);
-		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &bufferevent_free_and_close_fd);
+		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &pxy_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->dst, &bufferevent_free_and_close_fd_nonssl, &ctx->src, 0);
+	pxy_disconnect(ctx, &ctx->dst, &prototcp_bufferevent_free_and_close_fd, &ctx->src, 0);
 }
 
 void
@@ -605,18 +609,19 @@ prototcp_bev_eventcb_error_src(struct bufferevent *bev, pxy_conn_ctx_t *ctx)
 #endif /* DEBUG_PROXY */
 
 	log_err_printf("pxy_bev_eventcb_error_src: Client-side BEV_EVENT_ERROR\n");
-	pxy_log_err_ssl_error(bev, ctx);
+	// XXX
+	protossl_log_ssl_error(bev, ctx);
 	ctx->thr->errors++;
 
 	if (!ctx->connected) {
 		ctx->dst.closed = 1;
 	} else if (!ctx->dst.closed) {
-		pxy_close_conn_end_ifnodata(&ctx->dst, ctx, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->dst, ctx, &prototcp_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->src, &bufferevent_free_and_close_fd, &ctx->dst, 1);
+	pxy_disconnect(ctx, &ctx->src, &pxy_bufferevent_free_and_close_fd, &ctx->dst, 1);
 }
 
 void
@@ -627,18 +632,19 @@ prototcp_bev_eventcb_error_dst(struct bufferevent *bev, pxy_conn_ctx_t *ctx)
 #endif /* DEBUG_PROXY */
 
 	log_err_printf("pxy_bev_eventcb_error_dst: Client-side BEV_EVENT_ERROR\n");
-	pxy_log_err_ssl_error(bev, ctx);
+	// XXX
+	protossl_log_ssl_error(bev, ctx);
 	ctx->thr->errors++;
 
 	if (!ctx->connected) {
 		ctx->src.closed = 1;
 	} else if (!ctx->src.closed) {
-		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &bufferevent_free_and_close_fd);
+		pxy_close_conn_end_ifnodata(&ctx->src, ctx, &pxy_bufferevent_free_and_close_fd);
 	}
 
 	pxy_log_dbg_disconnect(ctx);
 
-	pxy_disconnect(ctx, &ctx->dst, &bufferevent_free_and_close_fd_nonssl, &ctx->src, 0);
+	pxy_disconnect(ctx, &ctx->dst, &prototcp_bufferevent_free_and_close_fd, &ctx->src, 0);
 }
 
 void
@@ -649,7 +655,8 @@ prototcp_bev_eventcb_error_srv_dst(struct bufferevent *bev, pxy_conn_ctx_t *ctx)
 #endif /* DEBUG_PROXY */
 
 	log_err_printf("pxy_bev_eventcb_error_srv_dst: Client-side BEV_EVENT_ERROR\n");
-	pxy_log_err_ssl_error(bev, ctx);
+	// XXX
+	protossl_log_ssl_error(bev, ctx);
 	ctx->thr->errors++;
 
 	if (!ctx->connected) {
@@ -720,10 +727,10 @@ prototcp_bev_eventcb_eof_src_child(struct bufferevent *bev, pxy_conn_child_ctx_t
 		log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_eventcb_child_eof_src: !other->closed, terminate conn, fd=%d, conn fd=%d\n", ctx->fd, ctx->conn->fd);
 #endif /* DEBUG_PROXY */
 		pxy_consume_last_input_child(bev, ctx);
-		pxy_close_conn_end_ifnodata(&ctx->dst, ctx->conn, &bufferevent_free_and_close_fd);
+		pxy_close_conn_end_ifnodata(&ctx->dst, ctx->conn, &pxy_bufferevent_free_and_close_fd);
 	}
 	pxy_log_dbg_disconnect_child(ctx);
-	pxy_disconnect_child(ctx, &ctx->src, &bufferevent_free_and_close_fd_nonssl, &ctx->dst);
+	pxy_disconnect_child(ctx, &ctx->src, &prototcp_bufferevent_free_and_close_fd, &ctx->dst);
 }
 
 void
@@ -748,10 +755,10 @@ prototcp_bev_eventcb_eof_dst_child(struct bufferevent *bev, pxy_conn_child_ctx_t
 		log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_bev_eventcb_child_eof_dst: !other->closed, terminate conn, fd=%d, conn fd=%d\n", ctx->fd, ctx->conn->fd);
 #endif /* DEBUG_PROXY */
 		pxy_consume_last_input_child(bev, ctx);
-		pxy_close_conn_end_ifnodata(&ctx->src, ctx->conn, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->src, ctx->conn, &prototcp_bufferevent_free_and_close_fd);
 	}
 	pxy_log_dbg_disconnect_child(ctx);
-	pxy_disconnect_child(ctx, &ctx->dst, &bufferevent_free_and_close_fd, &ctx->src);
+	pxy_disconnect_child(ctx, &ctx->dst, &pxy_bufferevent_free_and_close_fd, &ctx->src);
 }
 
 static void
@@ -763,7 +770,8 @@ prototcp_bev_eventcb_error_src_child(struct bufferevent *bev, pxy_conn_child_ctx
 	log_dbg_level_printf(LOG_DBG_MODE_FINER, "pxy_bev_eventcb_child_error_src: BEV_EVENT_ERROR, fd=%d, conn fd=%d\n", ctx->fd, ctx->conn->fd);
 #endif /* DEBUG_PROXY */
 	log_err_printf("Server-side BEV_EVENT_ERROR\n");
-	pxy_log_err_ssl_error(bev, ctx->conn);
+	// XXX
+	protossl_log_ssl_error(bev, ctx->conn);
 	ctx->conn->thr->errors++;
 
 	if (!ctx->connected) {
@@ -775,10 +783,10 @@ prototcp_bev_eventcb_error_src_child(struct bufferevent *bev, pxy_conn_child_ctx
 		/* if the other end is still open and doesn't have data
 		 * to send, close it, otherwise its writecb will close
 		 * it after writing what's left in the output buffer */
-		pxy_close_conn_end_ifnodata(&ctx->dst, ctx->conn, &bufferevent_free_and_close_fd);
+		pxy_close_conn_end_ifnodata(&ctx->dst, ctx->conn, &pxy_bufferevent_free_and_close_fd);
 	}
 	pxy_log_dbg_disconnect_child(ctx);
-	pxy_disconnect_child(ctx, &ctx->src, &bufferevent_free_and_close_fd_nonssl, &ctx->dst);
+	pxy_disconnect_child(ctx, &ctx->src, &prototcp_bufferevent_free_and_close_fd, &ctx->dst);
 }
 
 void
@@ -790,7 +798,8 @@ prototcp_bev_eventcb_error_dst_child(struct bufferevent *bev, pxy_conn_child_ctx
 	log_dbg_level_printf(LOG_DBG_MODE_FINER, "pxy_bev_eventcb_child_error_dst: BEV_EVENT_ERROR, fd=%d, conn fd=%d\n", ctx->fd, ctx->conn->fd);
 #endif /* DEBUG_PROXY */
 	log_err_printf("Server-side BEV_EVENT_ERROR\n");
-	pxy_log_err_ssl_error(bev, ctx->conn);
+	// XXX
+	protossl_log_ssl_error(bev, ctx->conn);
 	ctx->conn->thr->errors++;
 
 	if (!ctx->connected) {
@@ -802,10 +811,10 @@ prototcp_bev_eventcb_error_dst_child(struct bufferevent *bev, pxy_conn_child_ctx
 		/* if the other end is still open and doesn't have data
 		 * to send, close it, otherwise its writecb will close
 		 * it after writing what's left in the output buffer */
-		pxy_close_conn_end_ifnodata(&ctx->src, ctx->conn, &bufferevent_free_and_close_fd_nonssl);
+		pxy_close_conn_end_ifnodata(&ctx->src, ctx->conn, &prototcp_bufferevent_free_and_close_fd);
 	}
 	pxy_log_dbg_disconnect_child(ctx);
-	pxy_disconnect_child(ctx, &ctx->dst, &bufferevent_free_and_close_fd, &ctx->src);
+	pxy_disconnect_child(ctx, &ctx->dst, &pxy_bufferevent_free_and_close_fd, &ctx->src);
 }
 
 void

pxyconn.h

@@ -307,12 +307,6 @@ void pxy_log_dbg_evbuf_info(pxy_conn_ctx_t *, pxy_conn_desc_t *, pxy_conn_desc_t
 void pxy_log_dbg_disconnect(pxy_conn_ctx_t *);
 void pxy_log_dbg_disconnect_child(pxy_conn_child_ctx_t *);
 
-void pxy_log_err_ssl_error(struct bufferevent *, pxy_conn_ctx_t *);
-
-void bufferevent_free_and_close_fd(struct bufferevent *, pxy_conn_ctx_t *);
-void bufferevent_free_and_close_fd_ssl(struct bufferevent *, pxy_conn_ctx_t *);
-void bufferevent_free_and_close_fd_nonssl(struct bufferevent *, pxy_conn_ctx_t *);
-
 void pxy_discard_inbuf(struct bufferevent *);
 int pxy_set_dstaddr(pxy_conn_ctx_t *);
 unsigned char *pxy_malloc_packet(size_t, pxy_conn_ctx_t *);
@@ -323,15 +317,11 @@ void pxy_remove_sslproxy_header(unsigned char *, size_t *, pxy_conn_child_ctx_t
 void pxy_set_watermark(struct bufferevent *, pxy_conn_ctx_t *, struct bufferevent *);
 void pxy_unset_watermark(struct bufferevent *, pxy_conn_ctx_t *, pxy_conn_desc_t *);
 
-SSL *pxy_dstssl_create(pxy_conn_ctx_t *);
-
 int pxy_setup_src(pxy_conn_ctx_t *);
-int pxy_setup_src_ssl(pxy_conn_ctx_t *);
 int pxy_setup_new_src(pxy_conn_ctx_t *);
 
 int pxy_setup_dst(pxy_conn_ctx_t *);
 int pxy_setup_srv_dst(pxy_conn_ctx_t *);
-int pxy_setup_srv_dst_ssl(pxy_conn_ctx_t *);
 
 struct bufferevent *pxy_bufferevent_setup_child(pxy_conn_child_ctx_t *, evutil_socket_t, SSL *) NONNULL(1);
 
@@ -356,6 +346,8 @@ void pxy_bev_readcb_child(struct bufferevent *, void *);
 void pxy_bev_writecb_child(struct bufferevent *, void *);
 void pxy_bev_eventcb_child(struct bufferevent *, short, void *);
 
+void pxy_bufferevent_free_and_close_fd(struct bufferevent *, pxy_conn_ctx_t *);
+
 void pxy_connect_srv_dst(struct bufferevent *, pxy_conn_ctx_t *);
 void pxy_conn_connect(pxy_conn_ctx_t *);
 
@@ -366,13 +358,11 @@ void pxy_conn_setup(evutil_socket_t, struct sockaddr *, int,
 					evutil_socket_t)
                     NONNULL(2,4,5,6);
 
+void pxy_conn_ctx_free(pxy_conn_ctx_t *, int) NONNULL(1);
+
 void pxy_conn_free(pxy_conn_ctx_t *, int) NONNULL(1);
 void pxy_conn_free_child(pxy_conn_child_ctx_t *) NONNULL(1);
 
-void protossl_fd_readcb(evutil_socket_t, short, void *);
-void protossl_connect_child(pxy_conn_child_ctx_t *);
-void protossl_free(pxy_conn_ctx_t *) NONNULL(1);
-
 #endif /* !PXYCONN_H */
 
 /* vim: set noet ft=c: */