From 058122b80437a63cc043a5a515b13d59ad2143f7 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 1 Apr 2017 15:07:32 +0900 Subject: [PATCH] nghttpx: Rename shrpx_ssl.{h,cc} as shrpx_tls.{h,cc} The namespace shrpx::ssl was also renamed as shrpx::tls. --- src/CMakeLists.txt | 4 +-- src/Makefile.am | 4 +-- src/shrpx-unittest.cc | 14 ++++---- src/shrpx.cc | 14 ++++---- src/shrpx_client_handler.cc | 4 +-- src/shrpx_config.cc | 4 +-- src/shrpx_config.h | 4 +-- src/shrpx_connection.cc | 4 +-- src/shrpx_connection.h | 6 ++-- src/shrpx_connection_handler.cc | 28 +++++++-------- src/shrpx_connection_handler.h | 6 ++-- src/shrpx_http2_session.cc | 10 +++--- src/shrpx_http_downstream_connection.cc | 10 +++--- src/shrpx_live_check.cc | 12 +++---- src/shrpx_memcached_connection.cc | 8 ++--- src/shrpx_memcached_connection.h | 4 +-- src/{shrpx_ssl.cc => shrpx_tls.cc} | 36 +++++++++----------- src/{shrpx_ssl.h => shrpx_tls.h} | 10 +++--- src/{shrpx_ssl_test.cc => shrpx_tls_test.cc} | 26 +++++++------- src/{shrpx_ssl_test.h => shrpx_tls_test.h} | 12 +++---- src/shrpx_worker.cc | 8 ++--- src/shrpx_worker.h | 14 ++++---- src/shrpx_worker_process.cc | 6 ++-- 23 files changed, 123 insertions(+), 125 deletions(-) rename src/{shrpx_ssl.cc => shrpx_tls.cc} (98%) rename src/{shrpx_ssl.h => shrpx_tls.h} (99%) rename src/{shrpx_ssl_test.cc => shrpx_tls_test.cc} (91%) rename src/{shrpx_ssl_test.h => shrpx_tls_test.h} (84%) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 46db4865..40801f66 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -98,7 +98,7 @@ if(ENABLE_APP) shrpx_log.cc shrpx_http.cc shrpx_io_control.cc - shrpx_ssl.cc + shrpx_tls.cc shrpx_worker.cc shrpx_log_config.cc shrpx_connect_blocker.cc @@ -152,7 +152,7 @@ if(ENABLE_APP) if(HAVE_CUNIT) set(NGHTTPX_UNITTEST_SOURCES shrpx-unittest.cc - shrpx_ssl_test.cc + shrpx_tls_test.cc shrpx_downstream_test.cc shrpx_config_test.cc shrpx_worker_test.cc diff --git a/src/Makefile.am b/src/Makefile.am index 297c0b58..ef38cd32 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -122,7 +122,7 @@ NGHTTPX_SRCS = \ shrpx_log.cc shrpx_log.h \ shrpx_http.cc shrpx_http.h \ shrpx_io_control.cc shrpx_io_control.h \ - shrpx_ssl.cc shrpx_ssl.h \ + shrpx_tls.cc shrpx_tls.h \ shrpx_worker.cc shrpx_worker.h \ shrpx_log_config.cc shrpx_log_config.h \ shrpx_connect_blocker.cc shrpx_connect_blocker.h \ @@ -183,7 +183,7 @@ endif # HAVE_NEVERBLEED if HAVE_CUNIT check_PROGRAMS += nghttpx-unittest nghttpx_unittest_SOURCES = shrpx-unittest.cc \ - shrpx_ssl_test.cc shrpx_ssl_test.h \ + shrpx_tls_test.cc shrpx_tls_test.h \ shrpx_downstream_test.cc shrpx_downstream_test.h \ shrpx_config_test.cc shrpx_config_test.h \ shrpx_worker_test.cc shrpx_worker_test.h \ diff --git a/src/shrpx-unittest.cc b/src/shrpx-unittest.cc index a5104afd..4d816890 100644 --- a/src/shrpx-unittest.cc +++ b/src/shrpx-unittest.cc @@ -30,7 +30,7 @@ #include #include // include test cases' include files here -#include "shrpx_ssl_test.h" +#include "shrpx_tls_test.h" #include "shrpx_downstream_test.h" #include "shrpx_config_test.h" #include "shrpx_worker_test.h" @@ -71,12 +71,12 @@ int main(int argc, char *argv[]) { } // add the tests to the suite - if (!CU_add_test(pSuite, "ssl_create_lookup_tree", - shrpx::test_shrpx_ssl_create_lookup_tree) || - !CU_add_test(pSuite, "ssl_cert_lookup_tree_add_ssl_ctx", - shrpx::test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx) || - !CU_add_test(pSuite, "ssl_tls_hostname_match", - shrpx::test_shrpx_ssl_tls_hostname_match) || + if (!CU_add_test(pSuite, "tls_create_lookup_tree", + shrpx::test_shrpx_tls_create_lookup_tree) || + !CU_add_test(pSuite, "tls_cert_lookup_tree_add_ssl_ctx", + shrpx::test_shrpx_tls_cert_lookup_tree_add_ssl_ctx) || + !CU_add_test(pSuite, "tls_tls_hostname_match", + shrpx::test_shrpx_tls_tls_hostname_match) || !CU_add_test(pSuite, "http2_add_header", shrpx::test_http2_add_header) || !CU_add_test(pSuite, "http2_get_header", shrpx::test_http2_get_header) || !CU_add_test(pSuite, "http2_copy_headers_to_nva", diff --git a/src/shrpx.cc b/src/shrpx.cc index 15a961d2..5d31b6c6 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -76,7 +76,7 @@ #include #include "shrpx_config.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_log_config.h" #include "shrpx_worker.h" #include "shrpx_http2_upstream.h" @@ -1441,9 +1441,9 @@ void fill_default_config(Config *config) { tlsconf.client.ciphers = StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST); tlsconf.min_proto_version = - ssl::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION); + tls::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION); tlsconf.max_proto_version = - ssl::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION); + tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION); #if OPENSSL_1_1_API || defined(OPENSSL_IS_BORINGSSL) tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521"); #else // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL) @@ -2786,7 +2786,7 @@ int process_options(Config *config, } if (!tlsconf.tls_proto_list.empty()) { - tlsconf.tls_proto_mask = ssl::create_tls_proto_mask(tlsconf.tls_proto_list); + tlsconf.tls_proto_mask = tls::create_tls_proto_mask(tlsconf.tls_proto_list); } // TODO We depends on the ordering of protocol version macro in @@ -2797,7 +2797,7 @@ int process_options(Config *config, return -1; } - if (ssl::set_alpn_prefs(tlsconf.alpn_prefs, tlsconf.npn_list) != 0) { + if (tls::set_alpn_prefs(tlsconf.alpn_prefs, tlsconf.npn_list) != 0) { return -1; } @@ -2821,7 +2821,7 @@ int process_options(Config *config, upstreamconf.worker_connections = std::numeric_limits::max(); } - if (ssl::upstream_tls_enabled(config->conn) && + if (tls::upstream_tls_enabled(config->conn) && (tlsconf.private_key_file.empty() || tlsconf.cert_file.empty())) { LOG(FATAL) << "TLS private key and certificate files are required. " "Specify them in command-line, or in configuration file " @@ -2829,7 +2829,7 @@ int process_options(Config *config, return -1; } - if (ssl::upstream_tls_enabled(config->conn) && !tlsconf.ocsp.disabled) { + if (tls::upstream_tls_enabled(config->conn) && !tlsconf.ocsp.disabled) { struct stat buf; if (stat(tlsconf.ocsp.fetch_ocsp_response_file.c_str(), &buf) != 0) { tlsconf.ocsp.disabled = true; diff --git a/src/shrpx_client_handler.cc b/src/shrpx_client_handler.cc index 9260e9e3..b0063b33 100644 --- a/src/shrpx_client_handler.cc +++ b/src/shrpx_client_handler.cc @@ -42,7 +42,7 @@ #include "shrpx_config.h" #include "shrpx_http_downstream_connection.h" #include "shrpx_http2_downstream_connection.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_worker.h" #include "shrpx_downstream_connection_pool.h" #include "shrpx_downstream.h" @@ -576,7 +576,7 @@ int ClientHandler::validate_next_proto() { CLOG(INFO, this) << "The negotiated next protocol: " << proto; } - if (!ssl::in_proto_list(get_config()->tls.npn_list, proto)) { + if (!tls::in_proto_list(get_config()->tls.npn_list, proto)) { if (LOG_ENABLED(INFO)) { CLOG(INFO, this) << "The negotiated protocol is not supported: " << proto; } diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 82db8598..fba0309b 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -53,7 +53,7 @@ #include "http-parser/http_parser.h" #include "shrpx_log.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_http.h" #include "util.h" #include "base64.h" @@ -642,7 +642,7 @@ int parse_duration(ev_tstamp *dest, const StringRef &opt, namespace { int parse_tls_proto_version(int &dest, const StringRef &opt, const StringRef &optarg) { - auto v = ssl::proto_version_from_string(optarg); + auto v = tls::proto_version_from_string(optarg); if (v == -1) { LOG(ERROR) << opt << ": invalid TLS protocol version: " << optarg; return -1; diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 21c2a772..bcad5bc8 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -64,11 +64,11 @@ struct LogFragment; class ConnectBlocker; class Http2Session; -namespace ssl { +namespace tls { class CertLookupTree; -} // namespace ssl +} // namespace tls constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE = StringRef::from_lit("private-key-file"); diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc index 338e0f1c..d9088646 100644 --- a/src/shrpx_connection.cc +++ b/src/shrpx_connection.cc @@ -33,7 +33,7 @@ #include -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_memcached_request.h" #include "shrpx_log.h" #include "memchunk.h" @@ -360,7 +360,7 @@ int Connection::tls_handshake() { auto ssl_opts = SSL_get_options(tls.ssl); SSL_free(tls.ssl); - auto ssl = ssl::create_ssl(ssl_ctx); + auto ssl = tls::create_ssl(ssl_ctx); if (!ssl) { return -1; } diff --git a/src/shrpx_connection.h b/src/shrpx_connection.h index 02346346..20f989e4 100644 --- a/src/shrpx_connection.h +++ b/src/shrpx_connection.h @@ -41,9 +41,9 @@ namespace shrpx { struct MemcachedRequest; -namespace ssl { +namespace tls { struct TLSSessionCache; -} // namespace ssl +} // namespace tls enum { TLS_CONN_NORMAL, @@ -59,7 +59,7 @@ struct TLSConnection { SSL *ssl; SSL_SESSION *cached_session; MemcachedRequest *cached_session_lookup_req; - ssl::TLSSessionCache *client_session_cache; + tls::TLSSessionCache *client_session_cache; ev_tstamp last_write_idle; size_t warmup_writelen; // length passed to SSL_write and SSL_read last time. This is diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc index 0de4e4c3..d0a86ef4 100644 --- a/src/shrpx_connection_handler.cc +++ b/src/shrpx_connection_handler.cc @@ -35,7 +35,7 @@ #include #include "shrpx_client_handler.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_worker.h" #include "shrpx_config.h" #include "shrpx_http2_session.h" @@ -154,7 +154,7 @@ ConnectionHandler::~ConnectionHandler() { for (auto ssl_ctx : all_ssl_ctx_) { auto tls_ctx_data = - static_cast(SSL_CTX_get_app_data(ssl_ctx)); + static_cast(SSL_CTX_get_app_data(ssl_ctx)); if (tls_ctx_data) { delete tls_ctx_data; } @@ -199,15 +199,15 @@ void ConnectionHandler::worker_replace_downstream( } int ConnectionHandler::create_single_worker() { - cert_tree_ = ssl::create_cert_lookup_tree(); - auto sv_ssl_ctx = ssl::setup_server_ssl_context( + cert_tree_ = tls::create_cert_lookup_tree(); + auto sv_ssl_ctx = tls::setup_server_ssl_context( all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get() #ifdef HAVE_NEVERBLEED , nb_.get() #endif // HAVE_NEVERBLEED ); - auto cl_ssl_ctx = ssl::setup_downstream_client_ssl_context( + auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context( #ifdef HAVE_NEVERBLEED nb_.get() #endif // HAVE_NEVERBLEED @@ -223,7 +223,7 @@ int ConnectionHandler::create_single_worker() { SSL_CTX *session_cache_ssl_ctx = nullptr; if (memcachedconf.tls) { - session_cache_ssl_ctx = ssl::create_ssl_client_context( + session_cache_ssl_ctx = tls::create_ssl_client_context( #ifdef HAVE_NEVERBLEED nb_.get(), #endif // HAVE_NEVERBLEED @@ -248,15 +248,15 @@ int ConnectionHandler::create_worker_thread(size_t num) { #ifndef NOTHREADS assert(workers_.size() == 0); - cert_tree_ = ssl::create_cert_lookup_tree(); - auto sv_ssl_ctx = ssl::setup_server_ssl_context( + cert_tree_ = tls::create_cert_lookup_tree(); + auto sv_ssl_ctx = tls::setup_server_ssl_context( all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get() #ifdef HAVE_NEVERBLEED , nb_.get() #endif // HAVE_NEVERBLEED ); - auto cl_ssl_ctx = ssl::setup_downstream_client_ssl_context( + auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context( #ifdef HAVE_NEVERBLEED nb_.get() #endif // HAVE_NEVERBLEED @@ -281,7 +281,7 @@ int ConnectionHandler::create_worker_thread(size_t num) { SSL_CTX *session_cache_ssl_ctx = nullptr; if (memcachedconf.tls) { - session_cache_ssl_ctx = ssl::create_ssl_client_context( + session_cache_ssl_ctx = tls::create_ssl_client_context( #ifdef HAVE_NEVERBLEED nb_.get(), #endif // HAVE_NEVERBLEED @@ -384,7 +384,7 @@ int ConnectionHandler::handle_connection(int fd, sockaddr *addr, int addrlen, } auto client = - ssl::accept_connection(single_worker_.get(), fd, addr, addrlen, faddr); + tls::accept_connection(single_worker_.get(), fd, addr, addrlen, faddr); if (!client) { LLOG(ERROR, this) << "ClientHandler creation failed"; @@ -592,7 +592,7 @@ void ConnectionHandler::handle_ocsp_complete() { auto ssl_ctx = all_ssl_ctx_[ocsp_.next]; auto tls_ctx_data = - static_cast(SSL_CTX_get_app_data(ssl_ctx)); + static_cast(SSL_CTX_get_app_data(ssl_ctx)); auto rstatus = ocsp_.chldev.rstatus; auto status = WEXITSTATUS(rstatus); @@ -655,7 +655,7 @@ void ConnectionHandler::proceed_next_cert_ocsp() { auto ssl_ctx = all_ssl_ctx_[ocsp_.next]; auto tls_ctx_data = - static_cast(SSL_CTX_get_app_data(ssl_ctx)); + static_cast(SSL_CTX_get_app_data(ssl_ctx)); // client SSL_CTX is also included in all_ssl_ctx_, but has no // tls_ctx_data. @@ -777,7 +777,7 @@ SSL_CTX *ConnectionHandler::create_tls_ticket_key_memcached_ssl_ctx() { auto &tlsconf = config->tls; auto &memcachedconf = config->tls.ticket.memcached; - auto ssl_ctx = ssl::create_ssl_client_context( + auto ssl_ctx = tls::create_ssl_client_context( #ifdef HAVE_NEVERBLEED nb_.get(), #endif // HAVE_NEVERBLEED diff --git a/src/shrpx_connection_handler.h b/src/shrpx_connection_handler.h index de8d849b..d5f86f27 100644 --- a/src/shrpx_connection_handler.h +++ b/src/shrpx_connection_handler.h @@ -63,11 +63,11 @@ struct TicketKeys; class MemcachedDispatcher; struct UpstreamAddr; -namespace ssl { +namespace tls { class CertLookupTree; -} // namespace ssl +} // namespace tls struct OCSPUpdateContext { // ocsp response buffer @@ -198,7 +198,7 @@ private: // Worker instance used when single threaded mode (-n1) is used. // Otherwise, nullptr and workers_ has instances of Worker instead. std::unique_ptr single_worker_; - std::unique_ptr cert_tree_; + std::unique_ptr cert_tree_; std::unique_ptr tls_ticket_key_memcached_dispatcher_; // Current TLS session ticket keys. Note that TLS connection does // not refer to this field directly. They use TicketKeys object in diff --git a/src/shrpx_http2_session.cc b/src/shrpx_http2_session.cc index cdbb89b3..558f6220 100644 --- a/src/shrpx_http2_session.cc +++ b/src/shrpx_http2_session.cc @@ -39,7 +39,7 @@ #include "shrpx_error.h" #include "shrpx_http2_downstream_connection.h" #include "shrpx_client_handler.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_http.h" #include "shrpx_worker.h" #include "shrpx_connect_blocker.h" @@ -422,12 +422,12 @@ int Http2Session::initiate_connection() { assert(ssl_ctx_); if (state_ != RESOLVING_NAME) { - auto ssl = ssl::create_ssl(ssl_ctx_); + auto ssl = tls::create_ssl(ssl_ctx_); if (!ssl) { return -1; } - ssl::setup_downstream_http2_alpn(ssl); + tls::setup_downstream_http2_alpn(ssl); conn_.set_ssl(ssl); conn_.tls.client_session_cache = &addr_->tls_session_cache; @@ -442,7 +442,7 @@ int Http2Session::initiate_connection() { SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str()); } - auto tls_session = ssl::reuse_tls_session(addr_->tls_session_cache); + auto tls_session = tls::reuse_tls_session(addr_->tls_session_cache); if (tls_session) { SSL_set_session(conn_.tls.ssl, tls_session); SSL_SESSION_free(tls_session); @@ -2064,7 +2064,7 @@ int Http2Session::tls_handshake() { } if (!get_config()->tls.insecure && - ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) { + tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) { downstream_failure(addr_, raddr_); return -1; diff --git a/src/shrpx_http_downstream_connection.cc b/src/shrpx_http_downstream_connection.cc index 84ae896d..70460347 100644 --- a/src/shrpx_http_downstream_connection.cc +++ b/src/shrpx_http_downstream_connection.cc @@ -35,7 +35,7 @@ #include "shrpx_downstream_connection_pool.h" #include "shrpx_worker.h" #include "shrpx_http2_session.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_log.h" #include "http2.h" #include "util.h" @@ -423,12 +423,12 @@ int HttpDownstreamConnection::initiate_connection() { if (addr_->tls) { assert(ssl_ctx_); - auto ssl = ssl::create_ssl(ssl_ctx_); + auto ssl = tls::create_ssl(ssl_ctx_); if (!ssl) { return -1; } - ssl::setup_downstream_http1_alpn(ssl); + tls::setup_downstream_http1_alpn(ssl); conn_.set_ssl(ssl); conn_.tls.client_session_cache = &addr_->tls_session_cache; @@ -439,7 +439,7 @@ int HttpDownstreamConnection::initiate_connection() { SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str()); } - auto session = ssl::reuse_tls_session(addr_->tls_session_cache); + auto session = tls::reuse_tls_session(addr_->tls_session_cache); if (session) { SSL_set_session(conn_.tls.ssl, session); SSL_SESSION_free(session); @@ -1224,7 +1224,7 @@ int HttpDownstreamConnection::tls_handshake() { } if (!get_config()->tls.insecure && - ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) { + tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) { downstream_failure(addr_, raddr_); return -1; diff --git a/src/shrpx_live_check.cc b/src/shrpx_live_check.cc index 2645d3e2..4203b0ae 100644 --- a/src/shrpx_live_check.cc +++ b/src/shrpx_live_check.cc @@ -25,7 +25,7 @@ #include "shrpx_live_check.h" #include "shrpx_worker.h" #include "shrpx_connect_blocker.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_log.h" namespace shrpx { @@ -205,17 +205,17 @@ int LiveCheck::initiate_connection() { if (!dns_query_ && addr_->tls) { assert(ssl_ctx_); - auto ssl = ssl::create_ssl(ssl_ctx_); + auto ssl = tls::create_ssl(ssl_ctx_); if (!ssl) { return -1; } switch (addr_->proto) { case PROTO_HTTP1: - ssl::setup_downstream_http1_alpn(ssl); + tls::setup_downstream_http1_alpn(ssl); break; case PROTO_HTTP2: - ssl::setup_downstream_http2_alpn(ssl); + tls::setup_downstream_http2_alpn(ssl); break; default: assert(0); @@ -304,7 +304,7 @@ int LiveCheck::initiate_connection() { SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str()); } - auto session = ssl::reuse_tls_session(addr_->tls_session_cache); + auto session = tls::reuse_tls_session(addr_->tls_session_cache); if (session) { SSL_set_session(conn_.tls.ssl, session); SSL_SESSION_free(session); @@ -397,7 +397,7 @@ int LiveCheck::tls_handshake() { } if (!get_config()->tls.insecure && - ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) { + tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) { return -1; } diff --git a/src/shrpx_memcached_connection.cc b/src/shrpx_memcached_connection.cc index e50d14cd..c5e79ce2 100644 --- a/src/shrpx_memcached_connection.cc +++ b/src/shrpx_memcached_connection.cc @@ -32,7 +32,7 @@ #include "shrpx_memcached_request.h" #include "shrpx_memcached_result.h" #include "shrpx_config.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_log.h" #include "util.h" @@ -150,7 +150,7 @@ int MemcachedConnection::initiate_connection() { assert(conn_.fd == -1); if (ssl_ctx_) { - auto ssl = ssl::create_ssl(ssl_ctx_); + auto ssl = tls::create_ssl(ssl_ctx_); if (!ssl) { return -1; } @@ -184,7 +184,7 @@ int MemcachedConnection::initiate_connection() { SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name_.c_str()); } - auto session = ssl::reuse_tls_session(tls_session_cache_); + auto session = tls::reuse_tls_session(tls_session_cache_); if (session) { SSL_set_session(conn_.tls.ssl, session); SSL_SESSION_free(session); @@ -276,7 +276,7 @@ int MemcachedConnection::tls_handshake() { auto &tlsconf = get_config()->tls; if (!tlsconf.insecure && - ssl::check_cert(conn_.tls.ssl, addr_, sni_name_) != 0) { + tls::check_cert(conn_.tls.ssl, addr_, sni_name_) != 0) { connect_blocker_.on_failure(); return -1; } diff --git a/src/shrpx_memcached_connection.h b/src/shrpx_memcached_connection.h index f2837a5c..516996c5 100644 --- a/src/shrpx_memcached_connection.h +++ b/src/shrpx_memcached_connection.h @@ -33,7 +33,7 @@ #include #include "shrpx_connection.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_connect_blocker.h" #include "buffer.h" #include "network.h" @@ -136,7 +136,7 @@ private: std::deque sendbufv_; std::function do_read_, do_write_; StringRef sni_name_; - ssl::TLSSessionCache tls_session_cache_; + tls::TLSSessionCache tls_session_cache_; ConnectBlocker connect_blocker_; MemcachedParseState parse_state_; const Address *addr_; diff --git a/src/shrpx_ssl.cc b/src/shrpx_tls.cc similarity index 98% rename from src/shrpx_ssl.cc rename to src/shrpx_tls.cc index 24b005a4..7f346222 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_tls.cc @@ -22,7 +22,7 @@ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #ifdef HAVE_SYS_SOCKET_H #include @@ -70,7 +70,7 @@ using namespace nghttp2; namespace shrpx { -namespace ssl { +namespace tls { #if !OPENSSL_1_1_API namespace { @@ -1596,14 +1596,13 @@ setup_server_ssl_context(std::vector &all_ssl_ctx, auto &tlsconf = config->tls; - auto ssl_ctx = - ssl::create_ssl_context(tlsconf.private_key_file.c_str(), - tlsconf.cert_file.c_str(), tlsconf.sct_data + auto ssl_ctx = create_ssl_context(tlsconf.private_key_file.c_str(), + tlsconf.cert_file.c_str(), tlsconf.sct_data #ifdef HAVE_NEVERBLEED - , - nb + , + nb #endif // HAVE_NEVERBLEED - ); + ); all_ssl_ctx.push_back(ssl_ctx); @@ -1617,24 +1616,23 @@ setup_server_ssl_context(std::vector &all_ssl_ctx, return ssl_ctx; } - if (ssl::cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == - -1) { + if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) { LOG(FATAL) << "Failed to add default certificate."; DIE(); } for (auto &c : tlsconf.subcerts) { - auto ssl_ctx = ssl::create_ssl_context(c.private_key_file.c_str(), - c.cert_file.c_str(), c.sct_data + auto ssl_ctx = create_ssl_context(c.private_key_file.c_str(), + c.cert_file.c_str(), c.sct_data #ifdef HAVE_NEVERBLEED - , - nb + , + nb #endif // HAVE_NEVERBLEED - ); + ); all_ssl_ctx.push_back(ssl_ctx); - if (ssl::cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, - ssl_ctx) == -1) { + if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == + -1) { LOG(FATAL) << "Failed to add sub certificate."; DIE(); } @@ -1650,7 +1648,7 @@ SSL_CTX *setup_downstream_client_ssl_context( ) { auto &tlsconf = get_config()->tls; - return ssl::create_ssl_client_context( + return create_ssl_client_context( #ifdef HAVE_NEVERBLEED nb, #endif // HAVE_NEVERBLEED @@ -1737,6 +1735,6 @@ int proto_version_from_string(const StringRef &v) { return -1; } -} // namespace ssl +} // namespace tls } // namespace shrpx diff --git a/src/shrpx_ssl.h b/src/shrpx_tls.h similarity index 99% rename from src/shrpx_ssl.h rename to src/shrpx_tls.h index 05aec589..7775d18e 100644 --- a/src/shrpx_ssl.h +++ b/src/shrpx_tls.h @@ -22,8 +22,8 @@ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -#ifndef SHRPX_SSL_H -#define SHRPX_SSL_H +#ifndef SHRPX_TLS_H +#define SHRPX_TLS_H #include "shrpx.h" @@ -51,7 +51,7 @@ class DownstreamConnectionPool; struct DownstreamAddr; struct UpstreamAddr; -namespace ssl { +namespace tls { struct TLSSessionCache { // ASN1 representation of SSL_SESSION object. See @@ -264,8 +264,8 @@ X509 *load_certificate(const char *filename); // TLS version string. int proto_version_from_string(const StringRef &v); -} // namespace ssl +} // namespace tls } // namespace shrpx -#endif // SHRPX_SSL_H +#endif // SHRPX_TLS_H diff --git a/src/shrpx_ssl_test.cc b/src/shrpx_tls_test.cc similarity index 91% rename from src/shrpx_ssl_test.cc rename to src/shrpx_tls_test.cc index 551b13d9..8e478afc 100644 --- a/src/shrpx_ssl_test.cc +++ b/src/shrpx_tls_test.cc @@ -22,11 +22,11 @@ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -#include "shrpx_ssl_test.h" +#include "shrpx_tls_test.h" #include -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_log.h" #include "util.h" #include "template.h" @@ -35,8 +35,8 @@ using namespace nghttp2; namespace shrpx { -void test_shrpx_ssl_create_lookup_tree(void) { - auto tree = make_unique(); +void test_shrpx_tls_create_lookup_tree(void) { + auto tree = make_unique(); constexpr StringRef hostnames[] = { StringRef::from_lit("example.com"), // 0 @@ -85,7 +85,7 @@ void test_shrpx_ssl_create_lookup_tree(void) { }; num = array_size(names); - tree = make_unique(); + tree = make_unique(); for (size_t idx = 0; idx < num; ++idx) { tree->add_cert(names[idx], idx); } @@ -116,13 +116,13 @@ void test_shrpx_ssl_create_lookup_tree(void) { // -config=ca-config.json -profile=server test.example.com.csr | // cfssljson -bare test.example.com // -void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) { +void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void) { int rv; constexpr char nghttp2_certfile[] = NGHTTP2_SRC_DIR "/test.nghttp2.org.pem"; auto nghttp2_ssl_ctx = SSL_CTX_new(SSLv23_server_method()); auto nghttp2_ssl_ctx_del = defer(SSL_CTX_free, nghttp2_ssl_ctx); - auto nghttp2_tls_ctx_data = make_unique(); + auto nghttp2_tls_ctx_data = make_unique(); nghttp2_tls_ctx_data->cert_file = nghttp2_certfile; SSL_CTX_set_app_data(nghttp2_ssl_ctx, nghttp2_tls_ctx_data.get()); rv = SSL_CTX_use_certificate_chain_file(nghttp2_ssl_ctx, nghttp2_certfile); @@ -132,22 +132,22 @@ void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) { constexpr char examples_certfile[] = NGHTTP2_SRC_DIR "/test.example.com.pem"; auto examples_ssl_ctx = SSL_CTX_new(SSLv23_server_method()); auto examples_ssl_ctx_del = defer(SSL_CTX_free, examples_ssl_ctx); - auto examples_tls_ctx_data = make_unique(); + auto examples_tls_ctx_data = make_unique(); examples_tls_ctx_data->cert_file = examples_certfile; SSL_CTX_set_app_data(examples_ssl_ctx, examples_tls_ctx_data.get()); rv = SSL_CTX_use_certificate_chain_file(examples_ssl_ctx, examples_certfile); CU_ASSERT(1 == rv); - ssl::CertLookupTree tree; + tls::CertLookupTree tree; std::vector> indexed_ssl_ctx; - rv = ssl::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx, + rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx, nghttp2_ssl_ctx); CU_ASSERT(0 == rv); - rv = ssl::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx, + rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx, examples_ssl_ctx); CU_ASSERT(0 == rv); @@ -162,10 +162,10 @@ void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) { template bool tls_hostname_match_wrapper(const char (&pattern)[N], const char (&hostname)[M]) { - return ssl::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M}); + return tls::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M}); } -void test_shrpx_ssl_tls_hostname_match(void) { +void test_shrpx_tls_tls_hostname_match(void) { CU_ASSERT(tls_hostname_match_wrapper("example.com", "example.com")); CU_ASSERT(tls_hostname_match_wrapper("example.com", "EXAMPLE.com")); diff --git a/src/shrpx_ssl_test.h b/src/shrpx_tls_test.h similarity index 84% rename from src/shrpx_ssl_test.h rename to src/shrpx_tls_test.h index b9caaee4..40360db9 100644 --- a/src/shrpx_ssl_test.h +++ b/src/shrpx_tls_test.h @@ -22,8 +22,8 @@ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -#ifndef SHRPX_SSL_TEST_H -#define SHRPX_SSL_TEST_H +#ifndef SHRPX_TLS_TEST_H +#define SHRPX_TLS_TEST_H #ifdef HAVE_CONFIG_H #include @@ -31,10 +31,10 @@ namespace shrpx { -void test_shrpx_ssl_create_lookup_tree(void); -void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void); -void test_shrpx_ssl_tls_hostname_match(void); +void test_shrpx_tls_create_lookup_tree(void); +void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void); +void test_shrpx_tls_tls_hostname_match(void); } // namespace shrpx -#endif // SHRPX_SSL_TEST_H +#endif // SHRPX_TLS_TEST_H diff --git a/src/shrpx_worker.cc b/src/shrpx_worker.cc index 87ae96e4..69a574fc 100644 --- a/src/shrpx_worker.cc +++ b/src/shrpx_worker.cc @@ -30,7 +30,7 @@ #include -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_log.h" #include "shrpx_client_handler.h" #include "shrpx_http2_session.h" @@ -111,7 +111,7 @@ bool match_shared_downstream_addr( Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx, SSL_CTX *tls_session_cache_memcached_ssl_ctx, - ssl::CertLookupTree *cert_tree, + tls::CertLookupTree *cert_tree, const std::shared_ptr &ticket_keys, ConnectionHandler *conn_handler, std::shared_ptr downstreamconf) @@ -368,7 +368,7 @@ void Worker::process_events() { } auto client_handler = - ssl::accept_connection(this, wev.client_fd, &wev.client_addr.sa, + tls::accept_connection(this, wev.client_fd, &wev.client_addr.sa, wev.client_addrlen, wev.faddr); if (!client_handler) { if (LOG_ENABLED(INFO)) { @@ -416,7 +416,7 @@ void Worker::process_events() { } } -ssl::CertLookupTree *Worker::get_cert_lookup_tree() const { return cert_tree_; } +tls::CertLookupTree *Worker::get_cert_lookup_tree() const { return cert_tree_; } std::shared_ptr Worker::get_ticket_keys() { #ifdef HAVE_ATOMIC_STD_SHARED_PTR diff --git a/src/shrpx_worker.h b/src/shrpx_worker.h index 9b77eb5b..d5e61cfc 100644 --- a/src/shrpx_worker.h +++ b/src/shrpx_worker.h @@ -45,7 +45,7 @@ #include "shrpx_config.h" #include "shrpx_downstream_connection_pool.h" #include "memchunk.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_live_check.h" #include "shrpx_connect_blocker.h" #include "shrpx_dns_tracker.h" @@ -69,9 +69,9 @@ class MRubyContext; } // namespace mruby #endif // HAVE_MRUBY -namespace ssl { +namespace tls { class CertLookupTree; -} // namespace ssl +} // namespace tls struct DownstreamAddr { Address addr; @@ -95,7 +95,7 @@ struct DownstreamAddr { size_t fall; size_t rise; // Client side TLS session cache - ssl::TLSSessionCache tls_session_cache; + tls::TLSSessionCache tls_session_cache; // Http2Session object created for this address. This list chains // all Http2Session objects that is not in group scope // http2_avail_freelist, and is not reached in maximum concurrency. @@ -220,7 +220,7 @@ class Worker { public: Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx, SSL_CTX *tls_session_cache_memcached_ssl_ctx, - ssl::CertLookupTree *cert_tree, + tls::CertLookupTree *cert_tree, const std::shared_ptr &ticket_keys, ConnectionHandler *conn_handler, std::shared_ptr downstreamconf); @@ -230,7 +230,7 @@ public: void process_events(); void send(const WorkerEvent &event); - ssl::CertLookupTree *get_cert_lookup_tree() const; + tls::CertLookupTree *get_cert_lookup_tree() const; // These 2 functions make a lock m_ to get/set ticket keys // atomically. @@ -297,7 +297,7 @@ private: // get_config()->tls_ctx_per_worker == true. SSL_CTX *sv_ssl_ctx_; SSL_CTX *cl_ssl_ctx_; - ssl::CertLookupTree *cert_tree_; + tls::CertLookupTree *cert_tree_; ConnectionHandler *conn_handler_; #ifndef HAVE_ATOMIC_STD_SHARED_PTR diff --git a/src/shrpx_worker_process.cc b/src/shrpx_worker_process.cc index aa335318..a3e509c7 100644 --- a/src/shrpx_worker_process.cc +++ b/src/shrpx_worker_process.cc @@ -51,7 +51,7 @@ #include "shrpx_memcached_dispatcher.h" #include "shrpx_memcached_request.h" #include "shrpx_process.h" -#include "shrpx_ssl.h" +#include "shrpx_tls.h" #include "shrpx_log.h" #include "util.h" #include "app_helper.h" @@ -448,7 +448,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) { MemchunkPool mcpool; ev_timer renew_ticket_key_timer; - if (ssl::upstream_tls_enabled(config->conn)) { + if (tls::upstream_tls_enabled(config->conn)) { auto &ticketconf = config->tls.ticket; auto &memcachedconf = ticketconf.memcached; @@ -547,7 +547,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) { ipcev.data = &conn_handler; ev_io_start(loop, &ipcev); - if (ssl::upstream_tls_enabled(config->conn) && !config->tls.ocsp.disabled) { + if (tls::upstream_tls_enabled(config->conn) && !config->tls.ocsp.disabled) { conn_handler.proceed_next_cert_ocsp(); }