nghttpx: Rename shrpx_ssl.{h,cc} as shrpx_tls.{h,cc}
The namespace shrpx::ssl was also renamed as shrpx::tls.
This commit is contained in:
parent
69f63c529d
commit
058122b804
|
@ -98,7 +98,7 @@ if(ENABLE_APP)
|
||||||
shrpx_log.cc
|
shrpx_log.cc
|
||||||
shrpx_http.cc
|
shrpx_http.cc
|
||||||
shrpx_io_control.cc
|
shrpx_io_control.cc
|
||||||
shrpx_ssl.cc
|
shrpx_tls.cc
|
||||||
shrpx_worker.cc
|
shrpx_worker.cc
|
||||||
shrpx_log_config.cc
|
shrpx_log_config.cc
|
||||||
shrpx_connect_blocker.cc
|
shrpx_connect_blocker.cc
|
||||||
|
@ -152,7 +152,7 @@ if(ENABLE_APP)
|
||||||
if(HAVE_CUNIT)
|
if(HAVE_CUNIT)
|
||||||
set(NGHTTPX_UNITTEST_SOURCES
|
set(NGHTTPX_UNITTEST_SOURCES
|
||||||
shrpx-unittest.cc
|
shrpx-unittest.cc
|
||||||
shrpx_ssl_test.cc
|
shrpx_tls_test.cc
|
||||||
shrpx_downstream_test.cc
|
shrpx_downstream_test.cc
|
||||||
shrpx_config_test.cc
|
shrpx_config_test.cc
|
||||||
shrpx_worker_test.cc
|
shrpx_worker_test.cc
|
||||||
|
|
|
@ -122,7 +122,7 @@ NGHTTPX_SRCS = \
|
||||||
shrpx_log.cc shrpx_log.h \
|
shrpx_log.cc shrpx_log.h \
|
||||||
shrpx_http.cc shrpx_http.h \
|
shrpx_http.cc shrpx_http.h \
|
||||||
shrpx_io_control.cc shrpx_io_control.h \
|
shrpx_io_control.cc shrpx_io_control.h \
|
||||||
shrpx_ssl.cc shrpx_ssl.h \
|
shrpx_tls.cc shrpx_tls.h \
|
||||||
shrpx_worker.cc shrpx_worker.h \
|
shrpx_worker.cc shrpx_worker.h \
|
||||||
shrpx_log_config.cc shrpx_log_config.h \
|
shrpx_log_config.cc shrpx_log_config.h \
|
||||||
shrpx_connect_blocker.cc shrpx_connect_blocker.h \
|
shrpx_connect_blocker.cc shrpx_connect_blocker.h \
|
||||||
|
@ -183,7 +183,7 @@ endif # HAVE_NEVERBLEED
|
||||||
if HAVE_CUNIT
|
if HAVE_CUNIT
|
||||||
check_PROGRAMS += nghttpx-unittest
|
check_PROGRAMS += nghttpx-unittest
|
||||||
nghttpx_unittest_SOURCES = shrpx-unittest.cc \
|
nghttpx_unittest_SOURCES = shrpx-unittest.cc \
|
||||||
shrpx_ssl_test.cc shrpx_ssl_test.h \
|
shrpx_tls_test.cc shrpx_tls_test.h \
|
||||||
shrpx_downstream_test.cc shrpx_downstream_test.h \
|
shrpx_downstream_test.cc shrpx_downstream_test.h \
|
||||||
shrpx_config_test.cc shrpx_config_test.h \
|
shrpx_config_test.cc shrpx_config_test.h \
|
||||||
shrpx_worker_test.cc shrpx_worker_test.h \
|
shrpx_worker_test.cc shrpx_worker_test.h \
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <CUnit/Basic.h>
|
#include <CUnit/Basic.h>
|
||||||
// include test cases' include files here
|
// include test cases' include files here
|
||||||
#include "shrpx_ssl_test.h"
|
#include "shrpx_tls_test.h"
|
||||||
#include "shrpx_downstream_test.h"
|
#include "shrpx_downstream_test.h"
|
||||||
#include "shrpx_config_test.h"
|
#include "shrpx_config_test.h"
|
||||||
#include "shrpx_worker_test.h"
|
#include "shrpx_worker_test.h"
|
||||||
|
@ -71,12 +71,12 @@ int main(int argc, char *argv[]) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// add the tests to the suite
|
// add the tests to the suite
|
||||||
if (!CU_add_test(pSuite, "ssl_create_lookup_tree",
|
if (!CU_add_test(pSuite, "tls_create_lookup_tree",
|
||||||
shrpx::test_shrpx_ssl_create_lookup_tree) ||
|
shrpx::test_shrpx_tls_create_lookup_tree) ||
|
||||||
!CU_add_test(pSuite, "ssl_cert_lookup_tree_add_ssl_ctx",
|
!CU_add_test(pSuite, "tls_cert_lookup_tree_add_ssl_ctx",
|
||||||
shrpx::test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx) ||
|
shrpx::test_shrpx_tls_cert_lookup_tree_add_ssl_ctx) ||
|
||||||
!CU_add_test(pSuite, "ssl_tls_hostname_match",
|
!CU_add_test(pSuite, "tls_tls_hostname_match",
|
||||||
shrpx::test_shrpx_ssl_tls_hostname_match) ||
|
shrpx::test_shrpx_tls_tls_hostname_match) ||
|
||||||
!CU_add_test(pSuite, "http2_add_header", shrpx::test_http2_add_header) ||
|
!CU_add_test(pSuite, "http2_add_header", shrpx::test_http2_add_header) ||
|
||||||
!CU_add_test(pSuite, "http2_get_header", shrpx::test_http2_get_header) ||
|
!CU_add_test(pSuite, "http2_get_header", shrpx::test_http2_get_header) ||
|
||||||
!CU_add_test(pSuite, "http2_copy_headers_to_nva",
|
!CU_add_test(pSuite, "http2_copy_headers_to_nva",
|
||||||
|
|
14
src/shrpx.cc
14
src/shrpx.cc
|
@ -76,7 +76,7 @@
|
||||||
#include <nghttp2/nghttp2.h>
|
#include <nghttp2/nghttp2.h>
|
||||||
|
|
||||||
#include "shrpx_config.h"
|
#include "shrpx_config.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_log_config.h"
|
#include "shrpx_log_config.h"
|
||||||
#include "shrpx_worker.h"
|
#include "shrpx_worker.h"
|
||||||
#include "shrpx_http2_upstream.h"
|
#include "shrpx_http2_upstream.h"
|
||||||
|
@ -1441,9 +1441,9 @@ void fill_default_config(Config *config) {
|
||||||
tlsconf.client.ciphers =
|
tlsconf.client.ciphers =
|
||||||
StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
||||||
tlsconf.min_proto_version =
|
tlsconf.min_proto_version =
|
||||||
ssl::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
|
tls::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
|
||||||
tlsconf.max_proto_version =
|
tlsconf.max_proto_version =
|
||||||
ssl::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION);
|
tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION);
|
||||||
#if OPENSSL_1_1_API || defined(OPENSSL_IS_BORINGSSL)
|
#if OPENSSL_1_1_API || defined(OPENSSL_IS_BORINGSSL)
|
||||||
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
|
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
|
||||||
#else // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
|
#else // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
|
||||||
|
@ -2786,7 +2786,7 @@ int process_options(Config *config,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!tlsconf.tls_proto_list.empty()) {
|
if (!tlsconf.tls_proto_list.empty()) {
|
||||||
tlsconf.tls_proto_mask = ssl::create_tls_proto_mask(tlsconf.tls_proto_list);
|
tlsconf.tls_proto_mask = tls::create_tls_proto_mask(tlsconf.tls_proto_list);
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO We depends on the ordering of protocol version macro in
|
// TODO We depends on the ordering of protocol version macro in
|
||||||
|
@ -2797,7 +2797,7 @@ int process_options(Config *config,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ssl::set_alpn_prefs(tlsconf.alpn_prefs, tlsconf.npn_list) != 0) {
|
if (tls::set_alpn_prefs(tlsconf.alpn_prefs, tlsconf.npn_list) != 0) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2821,7 +2821,7 @@ int process_options(Config *config,
|
||||||
upstreamconf.worker_connections = std::numeric_limits<size_t>::max();
|
upstreamconf.worker_connections = std::numeric_limits<size_t>::max();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ssl::upstream_tls_enabled(config->conn) &&
|
if (tls::upstream_tls_enabled(config->conn) &&
|
||||||
(tlsconf.private_key_file.empty() || tlsconf.cert_file.empty())) {
|
(tlsconf.private_key_file.empty() || tlsconf.cert_file.empty())) {
|
||||||
LOG(FATAL) << "TLS private key and certificate files are required. "
|
LOG(FATAL) << "TLS private key and certificate files are required. "
|
||||||
"Specify them in command-line, or in configuration file "
|
"Specify them in command-line, or in configuration file "
|
||||||
|
@ -2829,7 +2829,7 @@ int process_options(Config *config,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ssl::upstream_tls_enabled(config->conn) && !tlsconf.ocsp.disabled) {
|
if (tls::upstream_tls_enabled(config->conn) && !tlsconf.ocsp.disabled) {
|
||||||
struct stat buf;
|
struct stat buf;
|
||||||
if (stat(tlsconf.ocsp.fetch_ocsp_response_file.c_str(), &buf) != 0) {
|
if (stat(tlsconf.ocsp.fetch_ocsp_response_file.c_str(), &buf) != 0) {
|
||||||
tlsconf.ocsp.disabled = true;
|
tlsconf.ocsp.disabled = true;
|
||||||
|
|
|
@ -42,7 +42,7 @@
|
||||||
#include "shrpx_config.h"
|
#include "shrpx_config.h"
|
||||||
#include "shrpx_http_downstream_connection.h"
|
#include "shrpx_http_downstream_connection.h"
|
||||||
#include "shrpx_http2_downstream_connection.h"
|
#include "shrpx_http2_downstream_connection.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_worker.h"
|
#include "shrpx_worker.h"
|
||||||
#include "shrpx_downstream_connection_pool.h"
|
#include "shrpx_downstream_connection_pool.h"
|
||||||
#include "shrpx_downstream.h"
|
#include "shrpx_downstream.h"
|
||||||
|
@ -576,7 +576,7 @@ int ClientHandler::validate_next_proto() {
|
||||||
CLOG(INFO, this) << "The negotiated next protocol: " << proto;
|
CLOG(INFO, this) << "The negotiated next protocol: " << proto;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!ssl::in_proto_list(get_config()->tls.npn_list, proto)) {
|
if (!tls::in_proto_list(get_config()->tls.npn_list, proto)) {
|
||||||
if (LOG_ENABLED(INFO)) {
|
if (LOG_ENABLED(INFO)) {
|
||||||
CLOG(INFO, this) << "The negotiated protocol is not supported: " << proto;
|
CLOG(INFO, this) << "The negotiated protocol is not supported: " << proto;
|
||||||
}
|
}
|
||||||
|
|
|
@ -53,7 +53,7 @@
|
||||||
#include "http-parser/http_parser.h"
|
#include "http-parser/http_parser.h"
|
||||||
|
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_http.h"
|
#include "shrpx_http.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "base64.h"
|
#include "base64.h"
|
||||||
|
@ -642,7 +642,7 @@ int parse_duration(ev_tstamp *dest, const StringRef &opt,
|
||||||
namespace {
|
namespace {
|
||||||
int parse_tls_proto_version(int &dest, const StringRef &opt,
|
int parse_tls_proto_version(int &dest, const StringRef &opt,
|
||||||
const StringRef &optarg) {
|
const StringRef &optarg) {
|
||||||
auto v = ssl::proto_version_from_string(optarg);
|
auto v = tls::proto_version_from_string(optarg);
|
||||||
if (v == -1) {
|
if (v == -1) {
|
||||||
LOG(ERROR) << opt << ": invalid TLS protocol version: " << optarg;
|
LOG(ERROR) << opt << ": invalid TLS protocol version: " << optarg;
|
||||||
return -1;
|
return -1;
|
||||||
|
|
|
@ -64,11 +64,11 @@ struct LogFragment;
|
||||||
class ConnectBlocker;
|
class ConnectBlocker;
|
||||||
class Http2Session;
|
class Http2Session;
|
||||||
|
|
||||||
namespace ssl {
|
namespace tls {
|
||||||
|
|
||||||
class CertLookupTree;
|
class CertLookupTree;
|
||||||
|
|
||||||
} // namespace ssl
|
} // namespace tls
|
||||||
|
|
||||||
constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE =
|
constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE =
|
||||||
StringRef::from_lit("private-key-file");
|
StringRef::from_lit("private-key-file");
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
|
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_memcached_request.h"
|
#include "shrpx_memcached_request.h"
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "memchunk.h"
|
#include "memchunk.h"
|
||||||
|
@ -360,7 +360,7 @@ int Connection::tls_handshake() {
|
||||||
auto ssl_opts = SSL_get_options(tls.ssl);
|
auto ssl_opts = SSL_get_options(tls.ssl);
|
||||||
SSL_free(tls.ssl);
|
SSL_free(tls.ssl);
|
||||||
|
|
||||||
auto ssl = ssl::create_ssl(ssl_ctx);
|
auto ssl = tls::create_ssl(ssl_ctx);
|
||||||
if (!ssl) {
|
if (!ssl) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -41,9 +41,9 @@ namespace shrpx {
|
||||||
|
|
||||||
struct MemcachedRequest;
|
struct MemcachedRequest;
|
||||||
|
|
||||||
namespace ssl {
|
namespace tls {
|
||||||
struct TLSSessionCache;
|
struct TLSSessionCache;
|
||||||
} // namespace ssl
|
} // namespace tls
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
TLS_CONN_NORMAL,
|
TLS_CONN_NORMAL,
|
||||||
|
@ -59,7 +59,7 @@ struct TLSConnection {
|
||||||
SSL *ssl;
|
SSL *ssl;
|
||||||
SSL_SESSION *cached_session;
|
SSL_SESSION *cached_session;
|
||||||
MemcachedRequest *cached_session_lookup_req;
|
MemcachedRequest *cached_session_lookup_req;
|
||||||
ssl::TLSSessionCache *client_session_cache;
|
tls::TLSSessionCache *client_session_cache;
|
||||||
ev_tstamp last_write_idle;
|
ev_tstamp last_write_idle;
|
||||||
size_t warmup_writelen;
|
size_t warmup_writelen;
|
||||||
// length passed to SSL_write and SSL_read last time. This is
|
// length passed to SSL_write and SSL_read last time. This is
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
#include <random>
|
#include <random>
|
||||||
|
|
||||||
#include "shrpx_client_handler.h"
|
#include "shrpx_client_handler.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_worker.h"
|
#include "shrpx_worker.h"
|
||||||
#include "shrpx_config.h"
|
#include "shrpx_config.h"
|
||||||
#include "shrpx_http2_session.h"
|
#include "shrpx_http2_session.h"
|
||||||
|
@ -154,7 +154,7 @@ ConnectionHandler::~ConnectionHandler() {
|
||||||
|
|
||||||
for (auto ssl_ctx : all_ssl_ctx_) {
|
for (auto ssl_ctx : all_ssl_ctx_) {
|
||||||
auto tls_ctx_data =
|
auto tls_ctx_data =
|
||||||
static_cast<ssl::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
||||||
if (tls_ctx_data) {
|
if (tls_ctx_data) {
|
||||||
delete tls_ctx_data;
|
delete tls_ctx_data;
|
||||||
}
|
}
|
||||||
|
@ -199,15 +199,15 @@ void ConnectionHandler::worker_replace_downstream(
|
||||||
}
|
}
|
||||||
|
|
||||||
int ConnectionHandler::create_single_worker() {
|
int ConnectionHandler::create_single_worker() {
|
||||||
cert_tree_ = ssl::create_cert_lookup_tree();
|
cert_tree_ = tls::create_cert_lookup_tree();
|
||||||
auto sv_ssl_ctx = ssl::setup_server_ssl_context(
|
auto sv_ssl_ctx = tls::setup_server_ssl_context(
|
||||||
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
|
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
,
|
,
|
||||||
nb_.get()
|
nb_.get()
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
);
|
);
|
||||||
auto cl_ssl_ctx = ssl::setup_downstream_client_ssl_context(
|
auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context(
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
nb_.get()
|
nb_.get()
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
|
@ -223,7 +223,7 @@ int ConnectionHandler::create_single_worker() {
|
||||||
|
|
||||||
SSL_CTX *session_cache_ssl_ctx = nullptr;
|
SSL_CTX *session_cache_ssl_ctx = nullptr;
|
||||||
if (memcachedconf.tls) {
|
if (memcachedconf.tls) {
|
||||||
session_cache_ssl_ctx = ssl::create_ssl_client_context(
|
session_cache_ssl_ctx = tls::create_ssl_client_context(
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
nb_.get(),
|
nb_.get(),
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
|
@ -248,15 +248,15 @@ int ConnectionHandler::create_worker_thread(size_t num) {
|
||||||
#ifndef NOTHREADS
|
#ifndef NOTHREADS
|
||||||
assert(workers_.size() == 0);
|
assert(workers_.size() == 0);
|
||||||
|
|
||||||
cert_tree_ = ssl::create_cert_lookup_tree();
|
cert_tree_ = tls::create_cert_lookup_tree();
|
||||||
auto sv_ssl_ctx = ssl::setup_server_ssl_context(
|
auto sv_ssl_ctx = tls::setup_server_ssl_context(
|
||||||
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
|
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
,
|
,
|
||||||
nb_.get()
|
nb_.get()
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
);
|
);
|
||||||
auto cl_ssl_ctx = ssl::setup_downstream_client_ssl_context(
|
auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context(
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
nb_.get()
|
nb_.get()
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
|
@ -281,7 +281,7 @@ int ConnectionHandler::create_worker_thread(size_t num) {
|
||||||
|
|
||||||
SSL_CTX *session_cache_ssl_ctx = nullptr;
|
SSL_CTX *session_cache_ssl_ctx = nullptr;
|
||||||
if (memcachedconf.tls) {
|
if (memcachedconf.tls) {
|
||||||
session_cache_ssl_ctx = ssl::create_ssl_client_context(
|
session_cache_ssl_ctx = tls::create_ssl_client_context(
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
nb_.get(),
|
nb_.get(),
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
|
@ -384,7 +384,7 @@ int ConnectionHandler::handle_connection(int fd, sockaddr *addr, int addrlen,
|
||||||
}
|
}
|
||||||
|
|
||||||
auto client =
|
auto client =
|
||||||
ssl::accept_connection(single_worker_.get(), fd, addr, addrlen, faddr);
|
tls::accept_connection(single_worker_.get(), fd, addr, addrlen, faddr);
|
||||||
if (!client) {
|
if (!client) {
|
||||||
LLOG(ERROR, this) << "ClientHandler creation failed";
|
LLOG(ERROR, this) << "ClientHandler creation failed";
|
||||||
|
|
||||||
|
@ -592,7 +592,7 @@ void ConnectionHandler::handle_ocsp_complete() {
|
||||||
|
|
||||||
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
|
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
|
||||||
auto tls_ctx_data =
|
auto tls_ctx_data =
|
||||||
static_cast<ssl::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
||||||
|
|
||||||
auto rstatus = ocsp_.chldev.rstatus;
|
auto rstatus = ocsp_.chldev.rstatus;
|
||||||
auto status = WEXITSTATUS(rstatus);
|
auto status = WEXITSTATUS(rstatus);
|
||||||
|
@ -655,7 +655,7 @@ void ConnectionHandler::proceed_next_cert_ocsp() {
|
||||||
|
|
||||||
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
|
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
|
||||||
auto tls_ctx_data =
|
auto tls_ctx_data =
|
||||||
static_cast<ssl::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
|
||||||
|
|
||||||
// client SSL_CTX is also included in all_ssl_ctx_, but has no
|
// client SSL_CTX is also included in all_ssl_ctx_, but has no
|
||||||
// tls_ctx_data.
|
// tls_ctx_data.
|
||||||
|
@ -777,7 +777,7 @@ SSL_CTX *ConnectionHandler::create_tls_ticket_key_memcached_ssl_ctx() {
|
||||||
auto &tlsconf = config->tls;
|
auto &tlsconf = config->tls;
|
||||||
auto &memcachedconf = config->tls.ticket.memcached;
|
auto &memcachedconf = config->tls.ticket.memcached;
|
||||||
|
|
||||||
auto ssl_ctx = ssl::create_ssl_client_context(
|
auto ssl_ctx = tls::create_ssl_client_context(
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
nb_.get(),
|
nb_.get(),
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
|
|
|
@ -63,11 +63,11 @@ struct TicketKeys;
|
||||||
class MemcachedDispatcher;
|
class MemcachedDispatcher;
|
||||||
struct UpstreamAddr;
|
struct UpstreamAddr;
|
||||||
|
|
||||||
namespace ssl {
|
namespace tls {
|
||||||
|
|
||||||
class CertLookupTree;
|
class CertLookupTree;
|
||||||
|
|
||||||
} // namespace ssl
|
} // namespace tls
|
||||||
|
|
||||||
struct OCSPUpdateContext {
|
struct OCSPUpdateContext {
|
||||||
// ocsp response buffer
|
// ocsp response buffer
|
||||||
|
@ -198,7 +198,7 @@ private:
|
||||||
// Worker instance used when single threaded mode (-n1) is used.
|
// Worker instance used when single threaded mode (-n1) is used.
|
||||||
// Otherwise, nullptr and workers_ has instances of Worker instead.
|
// Otherwise, nullptr and workers_ has instances of Worker instead.
|
||||||
std::unique_ptr<Worker> single_worker_;
|
std::unique_ptr<Worker> single_worker_;
|
||||||
std::unique_ptr<ssl::CertLookupTree> cert_tree_;
|
std::unique_ptr<tls::CertLookupTree> cert_tree_;
|
||||||
std::unique_ptr<MemcachedDispatcher> tls_ticket_key_memcached_dispatcher_;
|
std::unique_ptr<MemcachedDispatcher> tls_ticket_key_memcached_dispatcher_;
|
||||||
// Current TLS session ticket keys. Note that TLS connection does
|
// Current TLS session ticket keys. Note that TLS connection does
|
||||||
// not refer to this field directly. They use TicketKeys object in
|
// not refer to this field directly. They use TicketKeys object in
|
||||||
|
|
|
@ -39,7 +39,7 @@
|
||||||
#include "shrpx_error.h"
|
#include "shrpx_error.h"
|
||||||
#include "shrpx_http2_downstream_connection.h"
|
#include "shrpx_http2_downstream_connection.h"
|
||||||
#include "shrpx_client_handler.h"
|
#include "shrpx_client_handler.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_http.h"
|
#include "shrpx_http.h"
|
||||||
#include "shrpx_worker.h"
|
#include "shrpx_worker.h"
|
||||||
#include "shrpx_connect_blocker.h"
|
#include "shrpx_connect_blocker.h"
|
||||||
|
@ -422,12 +422,12 @@ int Http2Session::initiate_connection() {
|
||||||
assert(ssl_ctx_);
|
assert(ssl_ctx_);
|
||||||
|
|
||||||
if (state_ != RESOLVING_NAME) {
|
if (state_ != RESOLVING_NAME) {
|
||||||
auto ssl = ssl::create_ssl(ssl_ctx_);
|
auto ssl = tls::create_ssl(ssl_ctx_);
|
||||||
if (!ssl) {
|
if (!ssl) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
ssl::setup_downstream_http2_alpn(ssl);
|
tls::setup_downstream_http2_alpn(ssl);
|
||||||
|
|
||||||
conn_.set_ssl(ssl);
|
conn_.set_ssl(ssl);
|
||||||
conn_.tls.client_session_cache = &addr_->tls_session_cache;
|
conn_.tls.client_session_cache = &addr_->tls_session_cache;
|
||||||
|
@ -442,7 +442,7 @@ int Http2Session::initiate_connection() {
|
||||||
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
|
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
auto tls_session = ssl::reuse_tls_session(addr_->tls_session_cache);
|
auto tls_session = tls::reuse_tls_session(addr_->tls_session_cache);
|
||||||
if (tls_session) {
|
if (tls_session) {
|
||||||
SSL_set_session(conn_.tls.ssl, tls_session);
|
SSL_set_session(conn_.tls.ssl, tls_session);
|
||||||
SSL_SESSION_free(tls_session);
|
SSL_SESSION_free(tls_session);
|
||||||
|
@ -2064,7 +2064,7 @@ int Http2Session::tls_handshake() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!get_config()->tls.insecure &&
|
if (!get_config()->tls.insecure &&
|
||||||
ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
|
tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
|
||||||
downstream_failure(addr_, raddr_);
|
downstream_failure(addr_, raddr_);
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
#include "shrpx_downstream_connection_pool.h"
|
#include "shrpx_downstream_connection_pool.h"
|
||||||
#include "shrpx_worker.h"
|
#include "shrpx_worker.h"
|
||||||
#include "shrpx_http2_session.h"
|
#include "shrpx_http2_session.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "http2.h"
|
#include "http2.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
@ -423,12 +423,12 @@ int HttpDownstreamConnection::initiate_connection() {
|
||||||
if (addr_->tls) {
|
if (addr_->tls) {
|
||||||
assert(ssl_ctx_);
|
assert(ssl_ctx_);
|
||||||
|
|
||||||
auto ssl = ssl::create_ssl(ssl_ctx_);
|
auto ssl = tls::create_ssl(ssl_ctx_);
|
||||||
if (!ssl) {
|
if (!ssl) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
ssl::setup_downstream_http1_alpn(ssl);
|
tls::setup_downstream_http1_alpn(ssl);
|
||||||
|
|
||||||
conn_.set_ssl(ssl);
|
conn_.set_ssl(ssl);
|
||||||
conn_.tls.client_session_cache = &addr_->tls_session_cache;
|
conn_.tls.client_session_cache = &addr_->tls_session_cache;
|
||||||
|
@ -439,7 +439,7 @@ int HttpDownstreamConnection::initiate_connection() {
|
||||||
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
|
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
auto session = ssl::reuse_tls_session(addr_->tls_session_cache);
|
auto session = tls::reuse_tls_session(addr_->tls_session_cache);
|
||||||
if (session) {
|
if (session) {
|
||||||
SSL_set_session(conn_.tls.ssl, session);
|
SSL_set_session(conn_.tls.ssl, session);
|
||||||
SSL_SESSION_free(session);
|
SSL_SESSION_free(session);
|
||||||
|
@ -1224,7 +1224,7 @@ int HttpDownstreamConnection::tls_handshake() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!get_config()->tls.insecure &&
|
if (!get_config()->tls.insecure &&
|
||||||
ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
|
tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
|
||||||
downstream_failure(addr_, raddr_);
|
downstream_failure(addr_, raddr_);
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
|
|
|
@ -25,7 +25,7 @@
|
||||||
#include "shrpx_live_check.h"
|
#include "shrpx_live_check.h"
|
||||||
#include "shrpx_worker.h"
|
#include "shrpx_worker.h"
|
||||||
#include "shrpx_connect_blocker.h"
|
#include "shrpx_connect_blocker.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
|
|
||||||
namespace shrpx {
|
namespace shrpx {
|
||||||
|
@ -205,17 +205,17 @@ int LiveCheck::initiate_connection() {
|
||||||
if (!dns_query_ && addr_->tls) {
|
if (!dns_query_ && addr_->tls) {
|
||||||
assert(ssl_ctx_);
|
assert(ssl_ctx_);
|
||||||
|
|
||||||
auto ssl = ssl::create_ssl(ssl_ctx_);
|
auto ssl = tls::create_ssl(ssl_ctx_);
|
||||||
if (!ssl) {
|
if (!ssl) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (addr_->proto) {
|
switch (addr_->proto) {
|
||||||
case PROTO_HTTP1:
|
case PROTO_HTTP1:
|
||||||
ssl::setup_downstream_http1_alpn(ssl);
|
tls::setup_downstream_http1_alpn(ssl);
|
||||||
break;
|
break;
|
||||||
case PROTO_HTTP2:
|
case PROTO_HTTP2:
|
||||||
ssl::setup_downstream_http2_alpn(ssl);
|
tls::setup_downstream_http2_alpn(ssl);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
assert(0);
|
assert(0);
|
||||||
|
@ -304,7 +304,7 @@ int LiveCheck::initiate_connection() {
|
||||||
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
|
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
auto session = ssl::reuse_tls_session(addr_->tls_session_cache);
|
auto session = tls::reuse_tls_session(addr_->tls_session_cache);
|
||||||
if (session) {
|
if (session) {
|
||||||
SSL_set_session(conn_.tls.ssl, session);
|
SSL_set_session(conn_.tls.ssl, session);
|
||||||
SSL_SESSION_free(session);
|
SSL_SESSION_free(session);
|
||||||
|
@ -397,7 +397,7 @@ int LiveCheck::tls_handshake() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!get_config()->tls.insecure &&
|
if (!get_config()->tls.insecure &&
|
||||||
ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
|
tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
#include "shrpx_memcached_request.h"
|
#include "shrpx_memcached_request.h"
|
||||||
#include "shrpx_memcached_result.h"
|
#include "shrpx_memcached_result.h"
|
||||||
#include "shrpx_config.h"
|
#include "shrpx_config.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
|
@ -150,7 +150,7 @@ int MemcachedConnection::initiate_connection() {
|
||||||
assert(conn_.fd == -1);
|
assert(conn_.fd == -1);
|
||||||
|
|
||||||
if (ssl_ctx_) {
|
if (ssl_ctx_) {
|
||||||
auto ssl = ssl::create_ssl(ssl_ctx_);
|
auto ssl = tls::create_ssl(ssl_ctx_);
|
||||||
if (!ssl) {
|
if (!ssl) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -184,7 +184,7 @@ int MemcachedConnection::initiate_connection() {
|
||||||
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name_.c_str());
|
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name_.c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
auto session = ssl::reuse_tls_session(tls_session_cache_);
|
auto session = tls::reuse_tls_session(tls_session_cache_);
|
||||||
if (session) {
|
if (session) {
|
||||||
SSL_set_session(conn_.tls.ssl, session);
|
SSL_set_session(conn_.tls.ssl, session);
|
||||||
SSL_SESSION_free(session);
|
SSL_SESSION_free(session);
|
||||||
|
@ -276,7 +276,7 @@ int MemcachedConnection::tls_handshake() {
|
||||||
auto &tlsconf = get_config()->tls;
|
auto &tlsconf = get_config()->tls;
|
||||||
|
|
||||||
if (!tlsconf.insecure &&
|
if (!tlsconf.insecure &&
|
||||||
ssl::check_cert(conn_.tls.ssl, addr_, sni_name_) != 0) {
|
tls::check_cert(conn_.tls.ssl, addr_, sni_name_) != 0) {
|
||||||
connect_blocker_.on_failure();
|
connect_blocker_.on_failure();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
#include <ev.h>
|
#include <ev.h>
|
||||||
|
|
||||||
#include "shrpx_connection.h"
|
#include "shrpx_connection.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_connect_blocker.h"
|
#include "shrpx_connect_blocker.h"
|
||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
#include "network.h"
|
#include "network.h"
|
||||||
|
@ -136,7 +136,7 @@ private:
|
||||||
std::deque<MemcachedSendbuf> sendbufv_;
|
std::deque<MemcachedSendbuf> sendbufv_;
|
||||||
std::function<int(MemcachedConnection &)> do_read_, do_write_;
|
std::function<int(MemcachedConnection &)> do_read_, do_write_;
|
||||||
StringRef sni_name_;
|
StringRef sni_name_;
|
||||||
ssl::TLSSessionCache tls_session_cache_;
|
tls::TLSSessionCache tls_session_cache_;
|
||||||
ConnectBlocker connect_blocker_;
|
ConnectBlocker connect_blocker_;
|
||||||
MemcachedParseState parse_state_;
|
MemcachedParseState parse_state_;
|
||||||
const Address *addr_;
|
const Address *addr_;
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||||
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
*/
|
*/
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
|
|
||||||
#ifdef HAVE_SYS_SOCKET_H
|
#ifdef HAVE_SYS_SOCKET_H
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
|
@ -70,7 +70,7 @@ using namespace nghttp2;
|
||||||
|
|
||||||
namespace shrpx {
|
namespace shrpx {
|
||||||
|
|
||||||
namespace ssl {
|
namespace tls {
|
||||||
|
|
||||||
#if !OPENSSL_1_1_API
|
#if !OPENSSL_1_1_API
|
||||||
namespace {
|
namespace {
|
||||||
|
@ -1596,14 +1596,13 @@ setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
|
||||||
|
|
||||||
auto &tlsconf = config->tls;
|
auto &tlsconf = config->tls;
|
||||||
|
|
||||||
auto ssl_ctx =
|
auto ssl_ctx = create_ssl_context(tlsconf.private_key_file.c_str(),
|
||||||
ssl::create_ssl_context(tlsconf.private_key_file.c_str(),
|
tlsconf.cert_file.c_str(), tlsconf.sct_data
|
||||||
tlsconf.cert_file.c_str(), tlsconf.sct_data
|
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
,
|
,
|
||||||
nb
|
nb
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
);
|
);
|
||||||
|
|
||||||
all_ssl_ctx.push_back(ssl_ctx);
|
all_ssl_ctx.push_back(ssl_ctx);
|
||||||
|
|
||||||
|
@ -1617,24 +1616,23 @@ setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
|
||||||
return ssl_ctx;
|
return ssl_ctx;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ssl::cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
|
if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
|
||||||
-1) {
|
|
||||||
LOG(FATAL) << "Failed to add default certificate.";
|
LOG(FATAL) << "Failed to add default certificate.";
|
||||||
DIE();
|
DIE();
|
||||||
}
|
}
|
||||||
|
|
||||||
for (auto &c : tlsconf.subcerts) {
|
for (auto &c : tlsconf.subcerts) {
|
||||||
auto ssl_ctx = ssl::create_ssl_context(c.private_key_file.c_str(),
|
auto ssl_ctx = create_ssl_context(c.private_key_file.c_str(),
|
||||||
c.cert_file.c_str(), c.sct_data
|
c.cert_file.c_str(), c.sct_data
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
,
|
,
|
||||||
nb
|
nb
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
);
|
);
|
||||||
all_ssl_ctx.push_back(ssl_ctx);
|
all_ssl_ctx.push_back(ssl_ctx);
|
||||||
|
|
||||||
if (ssl::cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx,
|
if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
|
||||||
ssl_ctx) == -1) {
|
-1) {
|
||||||
LOG(FATAL) << "Failed to add sub certificate.";
|
LOG(FATAL) << "Failed to add sub certificate.";
|
||||||
DIE();
|
DIE();
|
||||||
}
|
}
|
||||||
|
@ -1650,7 +1648,7 @@ SSL_CTX *setup_downstream_client_ssl_context(
|
||||||
) {
|
) {
|
||||||
auto &tlsconf = get_config()->tls;
|
auto &tlsconf = get_config()->tls;
|
||||||
|
|
||||||
return ssl::create_ssl_client_context(
|
return create_ssl_client_context(
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
nb,
|
nb,
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
|
@ -1737,6 +1735,6 @@ int proto_version_from_string(const StringRef &v) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
} // namespace ssl
|
} // namespace tls
|
||||||
|
|
||||||
} // namespace shrpx
|
} // namespace shrpx
|
|
@ -22,8 +22,8 @@
|
||||||
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||||
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
*/
|
*/
|
||||||
#ifndef SHRPX_SSL_H
|
#ifndef SHRPX_TLS_H
|
||||||
#define SHRPX_SSL_H
|
#define SHRPX_TLS_H
|
||||||
|
|
||||||
#include "shrpx.h"
|
#include "shrpx.h"
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@ class DownstreamConnectionPool;
|
||||||
struct DownstreamAddr;
|
struct DownstreamAddr;
|
||||||
struct UpstreamAddr;
|
struct UpstreamAddr;
|
||||||
|
|
||||||
namespace ssl {
|
namespace tls {
|
||||||
|
|
||||||
struct TLSSessionCache {
|
struct TLSSessionCache {
|
||||||
// ASN1 representation of SSL_SESSION object. See
|
// ASN1 representation of SSL_SESSION object. See
|
||||||
|
@ -264,8 +264,8 @@ X509 *load_certificate(const char *filename);
|
||||||
// TLS version string.
|
// TLS version string.
|
||||||
int proto_version_from_string(const StringRef &v);
|
int proto_version_from_string(const StringRef &v);
|
||||||
|
|
||||||
} // namespace ssl
|
} // namespace tls
|
||||||
|
|
||||||
} // namespace shrpx
|
} // namespace shrpx
|
||||||
|
|
||||||
#endif // SHRPX_SSL_H
|
#endif // SHRPX_TLS_H
|
|
@ -22,11 +22,11 @@
|
||||||
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||||
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
*/
|
*/
|
||||||
#include "shrpx_ssl_test.h"
|
#include "shrpx_tls_test.h"
|
||||||
|
|
||||||
#include <CUnit/CUnit.h>
|
#include <CUnit/CUnit.h>
|
||||||
|
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "template.h"
|
#include "template.h"
|
||||||
|
@ -35,8 +35,8 @@ using namespace nghttp2;
|
||||||
|
|
||||||
namespace shrpx {
|
namespace shrpx {
|
||||||
|
|
||||||
void test_shrpx_ssl_create_lookup_tree(void) {
|
void test_shrpx_tls_create_lookup_tree(void) {
|
||||||
auto tree = make_unique<ssl::CertLookupTree>();
|
auto tree = make_unique<tls::CertLookupTree>();
|
||||||
|
|
||||||
constexpr StringRef hostnames[] = {
|
constexpr StringRef hostnames[] = {
|
||||||
StringRef::from_lit("example.com"), // 0
|
StringRef::from_lit("example.com"), // 0
|
||||||
|
@ -85,7 +85,7 @@ void test_shrpx_ssl_create_lookup_tree(void) {
|
||||||
};
|
};
|
||||||
num = array_size(names);
|
num = array_size(names);
|
||||||
|
|
||||||
tree = make_unique<ssl::CertLookupTree>();
|
tree = make_unique<tls::CertLookupTree>();
|
||||||
for (size_t idx = 0; idx < num; ++idx) {
|
for (size_t idx = 0; idx < num; ++idx) {
|
||||||
tree->add_cert(names[idx], idx);
|
tree->add_cert(names[idx], idx);
|
||||||
}
|
}
|
||||||
|
@ -116,13 +116,13 @@ void test_shrpx_ssl_create_lookup_tree(void) {
|
||||||
// -config=ca-config.json -profile=server test.example.com.csr |
|
// -config=ca-config.json -profile=server test.example.com.csr |
|
||||||
// cfssljson -bare test.example.com
|
// cfssljson -bare test.example.com
|
||||||
//
|
//
|
||||||
void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) {
|
void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void) {
|
||||||
int rv;
|
int rv;
|
||||||
|
|
||||||
constexpr char nghttp2_certfile[] = NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
|
constexpr char nghttp2_certfile[] = NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
|
||||||
auto nghttp2_ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
auto nghttp2_ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||||
auto nghttp2_ssl_ctx_del = defer(SSL_CTX_free, nghttp2_ssl_ctx);
|
auto nghttp2_ssl_ctx_del = defer(SSL_CTX_free, nghttp2_ssl_ctx);
|
||||||
auto nghttp2_tls_ctx_data = make_unique<ssl::TLSContextData>();
|
auto nghttp2_tls_ctx_data = make_unique<tls::TLSContextData>();
|
||||||
nghttp2_tls_ctx_data->cert_file = nghttp2_certfile;
|
nghttp2_tls_ctx_data->cert_file = nghttp2_certfile;
|
||||||
SSL_CTX_set_app_data(nghttp2_ssl_ctx, nghttp2_tls_ctx_data.get());
|
SSL_CTX_set_app_data(nghttp2_ssl_ctx, nghttp2_tls_ctx_data.get());
|
||||||
rv = SSL_CTX_use_certificate_chain_file(nghttp2_ssl_ctx, nghttp2_certfile);
|
rv = SSL_CTX_use_certificate_chain_file(nghttp2_ssl_ctx, nghttp2_certfile);
|
||||||
|
@ -132,22 +132,22 @@ void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) {
|
||||||
constexpr char examples_certfile[] = NGHTTP2_SRC_DIR "/test.example.com.pem";
|
constexpr char examples_certfile[] = NGHTTP2_SRC_DIR "/test.example.com.pem";
|
||||||
auto examples_ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
auto examples_ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||||
auto examples_ssl_ctx_del = defer(SSL_CTX_free, examples_ssl_ctx);
|
auto examples_ssl_ctx_del = defer(SSL_CTX_free, examples_ssl_ctx);
|
||||||
auto examples_tls_ctx_data = make_unique<ssl::TLSContextData>();
|
auto examples_tls_ctx_data = make_unique<tls::TLSContextData>();
|
||||||
examples_tls_ctx_data->cert_file = examples_certfile;
|
examples_tls_ctx_data->cert_file = examples_certfile;
|
||||||
SSL_CTX_set_app_data(examples_ssl_ctx, examples_tls_ctx_data.get());
|
SSL_CTX_set_app_data(examples_ssl_ctx, examples_tls_ctx_data.get());
|
||||||
rv = SSL_CTX_use_certificate_chain_file(examples_ssl_ctx, examples_certfile);
|
rv = SSL_CTX_use_certificate_chain_file(examples_ssl_ctx, examples_certfile);
|
||||||
|
|
||||||
CU_ASSERT(1 == rv);
|
CU_ASSERT(1 == rv);
|
||||||
|
|
||||||
ssl::CertLookupTree tree;
|
tls::CertLookupTree tree;
|
||||||
std::vector<std::vector<SSL_CTX *>> indexed_ssl_ctx;
|
std::vector<std::vector<SSL_CTX *>> indexed_ssl_ctx;
|
||||||
|
|
||||||
rv = ssl::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
|
rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
|
||||||
nghttp2_ssl_ctx);
|
nghttp2_ssl_ctx);
|
||||||
|
|
||||||
CU_ASSERT(0 == rv);
|
CU_ASSERT(0 == rv);
|
||||||
|
|
||||||
rv = ssl::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
|
rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
|
||||||
examples_ssl_ctx);
|
examples_ssl_ctx);
|
||||||
|
|
||||||
CU_ASSERT(0 == rv);
|
CU_ASSERT(0 == rv);
|
||||||
|
@ -162,10 +162,10 @@ void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) {
|
||||||
template <size_t N, size_t M>
|
template <size_t N, size_t M>
|
||||||
bool tls_hostname_match_wrapper(const char (&pattern)[N],
|
bool tls_hostname_match_wrapper(const char (&pattern)[N],
|
||||||
const char (&hostname)[M]) {
|
const char (&hostname)[M]) {
|
||||||
return ssl::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M});
|
return tls::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M});
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_shrpx_ssl_tls_hostname_match(void) {
|
void test_shrpx_tls_tls_hostname_match(void) {
|
||||||
CU_ASSERT(tls_hostname_match_wrapper("example.com", "example.com"));
|
CU_ASSERT(tls_hostname_match_wrapper("example.com", "example.com"));
|
||||||
CU_ASSERT(tls_hostname_match_wrapper("example.com", "EXAMPLE.com"));
|
CU_ASSERT(tls_hostname_match_wrapper("example.com", "EXAMPLE.com"));
|
||||||
|
|
|
@ -22,8 +22,8 @@
|
||||||
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||||
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
*/
|
*/
|
||||||
#ifndef SHRPX_SSL_TEST_H
|
#ifndef SHRPX_TLS_TEST_H
|
||||||
#define SHRPX_SSL_TEST_H
|
#define SHRPX_TLS_TEST_H
|
||||||
|
|
||||||
#ifdef HAVE_CONFIG_H
|
#ifdef HAVE_CONFIG_H
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
@ -31,10 +31,10 @@
|
||||||
|
|
||||||
namespace shrpx {
|
namespace shrpx {
|
||||||
|
|
||||||
void test_shrpx_ssl_create_lookup_tree(void);
|
void test_shrpx_tls_create_lookup_tree(void);
|
||||||
void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void);
|
void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void);
|
||||||
void test_shrpx_ssl_tls_hostname_match(void);
|
void test_shrpx_tls_tls_hostname_match(void);
|
||||||
|
|
||||||
} // namespace shrpx
|
} // namespace shrpx
|
||||||
|
|
||||||
#endif // SHRPX_SSL_TEST_H
|
#endif // SHRPX_TLS_TEST_H
|
|
@ -30,7 +30,7 @@
|
||||||
|
|
||||||
#include <memory>
|
#include <memory>
|
||||||
|
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "shrpx_client_handler.h"
|
#include "shrpx_client_handler.h"
|
||||||
#include "shrpx_http2_session.h"
|
#include "shrpx_http2_session.h"
|
||||||
|
@ -111,7 +111,7 @@ bool match_shared_downstream_addr(
|
||||||
|
|
||||||
Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
||||||
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
||||||
ssl::CertLookupTree *cert_tree,
|
tls::CertLookupTree *cert_tree,
|
||||||
const std::shared_ptr<TicketKeys> &ticket_keys,
|
const std::shared_ptr<TicketKeys> &ticket_keys,
|
||||||
ConnectionHandler *conn_handler,
|
ConnectionHandler *conn_handler,
|
||||||
std::shared_ptr<DownstreamConfig> downstreamconf)
|
std::shared_ptr<DownstreamConfig> downstreamconf)
|
||||||
|
@ -368,7 +368,7 @@ void Worker::process_events() {
|
||||||
}
|
}
|
||||||
|
|
||||||
auto client_handler =
|
auto client_handler =
|
||||||
ssl::accept_connection(this, wev.client_fd, &wev.client_addr.sa,
|
tls::accept_connection(this, wev.client_fd, &wev.client_addr.sa,
|
||||||
wev.client_addrlen, wev.faddr);
|
wev.client_addrlen, wev.faddr);
|
||||||
if (!client_handler) {
|
if (!client_handler) {
|
||||||
if (LOG_ENABLED(INFO)) {
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
@ -416,7 +416,7 @@ void Worker::process_events() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ssl::CertLookupTree *Worker::get_cert_lookup_tree() const { return cert_tree_; }
|
tls::CertLookupTree *Worker::get_cert_lookup_tree() const { return cert_tree_; }
|
||||||
|
|
||||||
std::shared_ptr<TicketKeys> Worker::get_ticket_keys() {
|
std::shared_ptr<TicketKeys> Worker::get_ticket_keys() {
|
||||||
#ifdef HAVE_ATOMIC_STD_SHARED_PTR
|
#ifdef HAVE_ATOMIC_STD_SHARED_PTR
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
#include "shrpx_config.h"
|
#include "shrpx_config.h"
|
||||||
#include "shrpx_downstream_connection_pool.h"
|
#include "shrpx_downstream_connection_pool.h"
|
||||||
#include "memchunk.h"
|
#include "memchunk.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_live_check.h"
|
#include "shrpx_live_check.h"
|
||||||
#include "shrpx_connect_blocker.h"
|
#include "shrpx_connect_blocker.h"
|
||||||
#include "shrpx_dns_tracker.h"
|
#include "shrpx_dns_tracker.h"
|
||||||
|
@ -69,9 +69,9 @@ class MRubyContext;
|
||||||
} // namespace mruby
|
} // namespace mruby
|
||||||
#endif // HAVE_MRUBY
|
#endif // HAVE_MRUBY
|
||||||
|
|
||||||
namespace ssl {
|
namespace tls {
|
||||||
class CertLookupTree;
|
class CertLookupTree;
|
||||||
} // namespace ssl
|
} // namespace tls
|
||||||
|
|
||||||
struct DownstreamAddr {
|
struct DownstreamAddr {
|
||||||
Address addr;
|
Address addr;
|
||||||
|
@ -95,7 +95,7 @@ struct DownstreamAddr {
|
||||||
size_t fall;
|
size_t fall;
|
||||||
size_t rise;
|
size_t rise;
|
||||||
// Client side TLS session cache
|
// Client side TLS session cache
|
||||||
ssl::TLSSessionCache tls_session_cache;
|
tls::TLSSessionCache tls_session_cache;
|
||||||
// Http2Session object created for this address. This list chains
|
// Http2Session object created for this address. This list chains
|
||||||
// all Http2Session objects that is not in group scope
|
// all Http2Session objects that is not in group scope
|
||||||
// http2_avail_freelist, and is not reached in maximum concurrency.
|
// http2_avail_freelist, and is not reached in maximum concurrency.
|
||||||
|
@ -220,7 +220,7 @@ class Worker {
|
||||||
public:
|
public:
|
||||||
Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
||||||
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
||||||
ssl::CertLookupTree *cert_tree,
|
tls::CertLookupTree *cert_tree,
|
||||||
const std::shared_ptr<TicketKeys> &ticket_keys,
|
const std::shared_ptr<TicketKeys> &ticket_keys,
|
||||||
ConnectionHandler *conn_handler,
|
ConnectionHandler *conn_handler,
|
||||||
std::shared_ptr<DownstreamConfig> downstreamconf);
|
std::shared_ptr<DownstreamConfig> downstreamconf);
|
||||||
|
@ -230,7 +230,7 @@ public:
|
||||||
void process_events();
|
void process_events();
|
||||||
void send(const WorkerEvent &event);
|
void send(const WorkerEvent &event);
|
||||||
|
|
||||||
ssl::CertLookupTree *get_cert_lookup_tree() const;
|
tls::CertLookupTree *get_cert_lookup_tree() const;
|
||||||
|
|
||||||
// These 2 functions make a lock m_ to get/set ticket keys
|
// These 2 functions make a lock m_ to get/set ticket keys
|
||||||
// atomically.
|
// atomically.
|
||||||
|
@ -297,7 +297,7 @@ private:
|
||||||
// get_config()->tls_ctx_per_worker == true.
|
// get_config()->tls_ctx_per_worker == true.
|
||||||
SSL_CTX *sv_ssl_ctx_;
|
SSL_CTX *sv_ssl_ctx_;
|
||||||
SSL_CTX *cl_ssl_ctx_;
|
SSL_CTX *cl_ssl_ctx_;
|
||||||
ssl::CertLookupTree *cert_tree_;
|
tls::CertLookupTree *cert_tree_;
|
||||||
ConnectionHandler *conn_handler_;
|
ConnectionHandler *conn_handler_;
|
||||||
|
|
||||||
#ifndef HAVE_ATOMIC_STD_SHARED_PTR
|
#ifndef HAVE_ATOMIC_STD_SHARED_PTR
|
||||||
|
|
|
@ -51,7 +51,7 @@
|
||||||
#include "shrpx_memcached_dispatcher.h"
|
#include "shrpx_memcached_dispatcher.h"
|
||||||
#include "shrpx_memcached_request.h"
|
#include "shrpx_memcached_request.h"
|
||||||
#include "shrpx_process.h"
|
#include "shrpx_process.h"
|
||||||
#include "shrpx_ssl.h"
|
#include "shrpx_tls.h"
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "app_helper.h"
|
#include "app_helper.h"
|
||||||
|
@ -448,7 +448,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
|
||||||
MemchunkPool mcpool;
|
MemchunkPool mcpool;
|
||||||
|
|
||||||
ev_timer renew_ticket_key_timer;
|
ev_timer renew_ticket_key_timer;
|
||||||
if (ssl::upstream_tls_enabled(config->conn)) {
|
if (tls::upstream_tls_enabled(config->conn)) {
|
||||||
auto &ticketconf = config->tls.ticket;
|
auto &ticketconf = config->tls.ticket;
|
||||||
auto &memcachedconf = ticketconf.memcached;
|
auto &memcachedconf = ticketconf.memcached;
|
||||||
|
|
||||||
|
@ -547,7 +547,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
|
||||||
ipcev.data = &conn_handler;
|
ipcev.data = &conn_handler;
|
||||||
ev_io_start(loop, &ipcev);
|
ev_io_start(loop, &ipcev);
|
||||||
|
|
||||||
if (ssl::upstream_tls_enabled(config->conn) && !config->tls.ocsp.disabled) {
|
if (tls::upstream_tls_enabled(config->conn) && !config->tls.ocsp.disabled) {
|
||||||
conn_handler.proceed_next_cert_ocsp();
|
conn_handler.proceed_next_cert_ocsp();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue