walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Rename shrpx_ssl.{h,cc} as shrpx_tls.{h,cc} 

The namespace shrpx::ssl was also renamed as shrpx::tls.
This commit is contained in:
Tatsuhiro Tsujikawa 2017-04-01 15:07:32 +09:00
parent 69f63c529d
commit 058122b804
23 changed files with 123 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/CMakeLists.txt
View File

@ -98,7 +98,7 @@ if(ENABLE_APP)
shrpx_log.cc
shrpx_http.cc
shrpx_io_control.cc
shrpx_ssl.cc
shrpx_tls.cc
shrpx_worker.cc
shrpx_log_config.cc
shrpx_connect_blocker.cc
@ -152,7 +152,7 @@ if(ENABLE_APP)
if(HAVE_CUNIT)
set(NGHTTPX_UNITTEST_SOURCES
shrpx-unittest.cc
shrpx_ssl_test.cc
shrpx_tls_test.cc
shrpx_downstream_test.cc
shrpx_config_test.cc
shrpx_worker_test.cc

4
src/Makefile.am
View File

@ -122,7 +122,7 @@ NGHTTPX_SRCS = \
shrpx_log.cc shrpx_log.h \
shrpx_http.cc shrpx_http.h \
shrpx_io_control.cc shrpx_io_control.h \
shrpx_ssl.cc shrpx_ssl.h \
shrpx_tls.cc shrpx_tls.h \
shrpx_worker.cc shrpx_worker.h \
shrpx_log_config.cc shrpx_log_config.h \
shrpx_connect_blocker.cc shrpx_connect_blocker.h \
@ -183,7 +183,7 @@ endif # HAVE_NEVERBLEED
if HAVE_CUNIT
check_PROGRAMS += nghttpx-unittest
nghttpx_unittest_SOURCES = shrpx-unittest.cc \
shrpx_ssl_test.cc shrpx_ssl_test.h \
shrpx_tls_test.cc shrpx_tls_test.h \
shrpx_downstream_test.cc shrpx_downstream_test.h \
shrpx_config_test.cc shrpx_config_test.h \
shrpx_worker_test.cc shrpx_worker_test.h \

14
src/shrpx-unittest.cc
View File

@ -30,7 +30,7 @@
#include <string.h>
#include <CUnit/Basic.h>
// include test cases' include files here
#include "shrpx_ssl_test.h"
#include "shrpx_tls_test.h"
#include "shrpx_downstream_test.h"
#include "shrpx_config_test.h"
#include "shrpx_worker_test.h"
@ -71,12 +71,12 @@ int main(int argc, char *argv[]) {
}
// add the tests to the suite
if (!CU_add_test(pSuite, "ssl_create_lookup_tree",
shrpx::test_shrpx_ssl_create_lookup_tree) ||
!CU_add_test(pSuite, "ssl_cert_lookup_tree_add_ssl_ctx",
shrpx::test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx) ||
!CU_add_test(pSuite, "ssl_tls_hostname_match",
shrpx::test_shrpx_ssl_tls_hostname_match) ||
if (!CU_add_test(pSuite, "tls_create_lookup_tree",
shrpx::test_shrpx_tls_create_lookup_tree) ||
!CU_add_test(pSuite, "tls_cert_lookup_tree_add_ssl_ctx",
shrpx::test_shrpx_tls_cert_lookup_tree_add_ssl_ctx) ||
!CU_add_test(pSuite, "tls_tls_hostname_match",
shrpx::test_shrpx_tls_tls_hostname_match) ||
!CU_add_test(pSuite, "http2_add_header", shrpx::test_http2_add_header) ||
!CU_add_test(pSuite, "http2_get_header", shrpx::test_http2_get_header) ||
!CU_add_test(pSuite, "http2_copy_headers_to_nva",

14
src/shrpx.cc
View File

@ -76,7 +76,7 @@
#include <nghttp2/nghttp2.h>
#include "shrpx_config.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_log_config.h"
#include "shrpx_worker.h"
#include "shrpx_http2_upstream.h"
@ -1441,9 +1441,9 @@ void fill_default_config(Config *config) {
tlsconf.client.ciphers =
StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
tlsconf.min_proto_version =
ssl::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
tls::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
tlsconf.max_proto_version =
ssl::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION);
tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION);
#if OPENSSL_1_1_API || defined(OPENSSL_IS_BORINGSSL)
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
#else // !OPENSSL_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
@ -2786,7 +2786,7 @@ int process_options(Config *config,
}
if (!tlsconf.tls_proto_list.empty()) {
tlsconf.tls_proto_mask = ssl::create_tls_proto_mask(tlsconf.tls_proto_list);
tlsconf.tls_proto_mask = tls::create_tls_proto_mask(tlsconf.tls_proto_list);
}
// TODO We depends on the ordering of protocol version macro in
@ -2797,7 +2797,7 @@ int process_options(Config *config,
return -1;
}
if (ssl::set_alpn_prefs(tlsconf.alpn_prefs, tlsconf.npn_list) != 0) {
if (tls::set_alpn_prefs(tlsconf.alpn_prefs, tlsconf.npn_list) != 0) {
return -1;
}
@ -2821,7 +2821,7 @@ int process_options(Config *config,
upstreamconf.worker_connections = std::numeric_limits<size_t>::max();
}
if (ssl::upstream_tls_enabled(config->conn) &&
if (tls::upstream_tls_enabled(config->conn) &&
(tlsconf.private_key_file.empty() || tlsconf.cert_file.empty())) {
LOG(FATAL) << "TLS private key and certificate files are required. "
"Specify them in command-line, or in configuration file "
@ -2829,7 +2829,7 @@ int process_options(Config *config,
return -1;
}
if (ssl::upstream_tls_enabled(config->conn) && !tlsconf.ocsp.disabled) {
if (tls::upstream_tls_enabled(config->conn) && !tlsconf.ocsp.disabled) {
struct stat buf;
if (stat(tlsconf.ocsp.fetch_ocsp_response_file.c_str(), &buf) != 0) {
tlsconf.ocsp.disabled = true;

4
src/shrpx_client_handler.cc
View File

@ -42,7 +42,7 @@
#include "shrpx_config.h"
#include "shrpx_http_downstream_connection.h"
#include "shrpx_http2_downstream_connection.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_worker.h"
#include "shrpx_downstream_connection_pool.h"
#include "shrpx_downstream.h"
@ -576,7 +576,7 @@ int ClientHandler::validate_next_proto() {
CLOG(INFO, this) << "The negotiated next protocol: " << proto;
}
if (!ssl::in_proto_list(get_config()->tls.npn_list, proto)) {
if (!tls::in_proto_list(get_config()->tls.npn_list, proto)) {
if (LOG_ENABLED(INFO)) {
CLOG(INFO, this) << "The negotiated protocol is not supported: " << proto;
}

4
src/shrpx_config.cc
View File

@ -53,7 +53,7 @@
#include "http-parser/http_parser.h"
#include "shrpx_log.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_http.h"
#include "util.h"
#include "base64.h"
@ -642,7 +642,7 @@ int parse_duration(ev_tstamp *dest, const StringRef &opt,
namespace {
int parse_tls_proto_version(int &dest, const StringRef &opt,
const StringRef &optarg) {
auto v = ssl::proto_version_from_string(optarg);
auto v = tls::proto_version_from_string(optarg);
if (v == -1) {
LOG(ERROR) << opt << ": invalid TLS protocol version: " << optarg;
return -1;

4
src/shrpx_config.h
View File

@ -64,11 +64,11 @@ struct LogFragment;
class ConnectBlocker;
class Http2Session;
namespace ssl {
namespace tls {
class CertLookupTree;
} // namespace ssl
} // namespace tls
constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE =
StringRef::from_lit("private-key-file");

4
src/shrpx_connection.cc
View File

@ -33,7 +33,7 @@
#include <openssl/err.h>
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_memcached_request.h"
#include "shrpx_log.h"
#include "memchunk.h"
@ -360,7 +360,7 @@ int Connection::tls_handshake() {
auto ssl_opts = SSL_get_options(tls.ssl);
SSL_free(tls.ssl);
auto ssl = ssl::create_ssl(ssl_ctx);
auto ssl = tls::create_ssl(ssl_ctx);
if (!ssl) {
return -1;
}

6
src/shrpx_connection.h
View File

@ -41,9 +41,9 @@ namespace shrpx {
struct MemcachedRequest;
namespace ssl {
namespace tls {
struct TLSSessionCache;
} // namespace ssl
} // namespace tls
enum {
TLS_CONN_NORMAL,
@ -59,7 +59,7 @@ struct TLSConnection {
SSL *ssl;
SSL_SESSION *cached_session;
MemcachedRequest *cached_session_lookup_req;
ssl::TLSSessionCache *client_session_cache;
tls::TLSSessionCache *client_session_cache;
ev_tstamp last_write_idle;
size_t warmup_writelen;
// length passed to SSL_write and SSL_read last time. This is

28
src/shrpx_connection_handler.cc
View File

@ -35,7 +35,7 @@
#include <random>
#include "shrpx_client_handler.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_worker.h"
#include "shrpx_config.h"
#include "shrpx_http2_session.h"
@ -154,7 +154,7 @@ ConnectionHandler::~ConnectionHandler() {
for (auto ssl_ctx : all_ssl_ctx_) {
auto tls_ctx_data =
static_cast<ssl::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
if (tls_ctx_data) {
delete tls_ctx_data;
}
@ -199,15 +199,15 @@ void ConnectionHandler::worker_replace_downstream(
}
int ConnectionHandler::create_single_worker() {
cert_tree_ = ssl::create_cert_lookup_tree();
auto sv_ssl_ctx = ssl::setup_server_ssl_context(
cert_tree_ = tls::create_cert_lookup_tree();
auto sv_ssl_ctx = tls::setup_server_ssl_context(
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
#ifdef HAVE_NEVERBLEED
,
nb_.get()
#endif // HAVE_NEVERBLEED
);
auto cl_ssl_ctx = ssl::setup_downstream_client_ssl_context(
auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context(
#ifdef HAVE_NEVERBLEED
nb_.get()
#endif // HAVE_NEVERBLEED
@ -223,7 +223,7 @@ int ConnectionHandler::create_single_worker() {
SSL_CTX *session_cache_ssl_ctx = nullptr;
if (memcachedconf.tls) {
session_cache_ssl_ctx = ssl::create_ssl_client_context(
session_cache_ssl_ctx = tls::create_ssl_client_context(
#ifdef HAVE_NEVERBLEED
nb_.get(),
#endif // HAVE_NEVERBLEED
@ -248,15 +248,15 @@ int ConnectionHandler::create_worker_thread(size_t num) {
#ifndef NOTHREADS
assert(workers_.size() == 0);
cert_tree_ = ssl::create_cert_lookup_tree();
auto sv_ssl_ctx = ssl::setup_server_ssl_context(
cert_tree_ = tls::create_cert_lookup_tree();
auto sv_ssl_ctx = tls::setup_server_ssl_context(
all_ssl_ctx_, indexed_ssl_ctx_, cert_tree_.get()
#ifdef HAVE_NEVERBLEED
,
nb_.get()
#endif // HAVE_NEVERBLEED
);
auto cl_ssl_ctx = ssl::setup_downstream_client_ssl_context(
auto cl_ssl_ctx = tls::setup_downstream_client_ssl_context(
#ifdef HAVE_NEVERBLEED
nb_.get()
#endif // HAVE_NEVERBLEED
@ -281,7 +281,7 @@ int ConnectionHandler::create_worker_thread(size_t num) {
SSL_CTX *session_cache_ssl_ctx = nullptr;
if (memcachedconf.tls) {
session_cache_ssl_ctx = ssl::create_ssl_client_context(
session_cache_ssl_ctx = tls::create_ssl_client_context(
#ifdef HAVE_NEVERBLEED
nb_.get(),
#endif // HAVE_NEVERBLEED
@ -384,7 +384,7 @@ int ConnectionHandler::handle_connection(int fd, sockaddr *addr, int addrlen,
}
auto client =
ssl::accept_connection(single_worker_.get(), fd, addr, addrlen, faddr);
tls::accept_connection(single_worker_.get(), fd, addr, addrlen, faddr);
if (!client) {
LLOG(ERROR, this) << "ClientHandler creation failed";
@ -592,7 +592,7 @@ void ConnectionHandler::handle_ocsp_complete() {
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
auto tls_ctx_data =
static_cast<ssl::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
auto rstatus = ocsp_.chldev.rstatus;
auto status = WEXITSTATUS(rstatus);
@ -655,7 +655,7 @@ void ConnectionHandler::proceed_next_cert_ocsp() {
auto ssl_ctx = all_ssl_ctx_[ocsp_.next];
auto tls_ctx_data =
static_cast<ssl::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
static_cast<tls::TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
// client SSL_CTX is also included in all_ssl_ctx_, but has no
// tls_ctx_data.
@ -777,7 +777,7 @@ SSL_CTX *ConnectionHandler::create_tls_ticket_key_memcached_ssl_ctx() {
auto &tlsconf = config->tls;
auto &memcachedconf = config->tls.ticket.memcached;
auto ssl_ctx = ssl::create_ssl_client_context(
auto ssl_ctx = tls::create_ssl_client_context(
#ifdef HAVE_NEVERBLEED
nb_.get(),
#endif // HAVE_NEVERBLEED

6
src/shrpx_connection_handler.h
View File

@ -63,11 +63,11 @@ struct TicketKeys;
class MemcachedDispatcher;
struct UpstreamAddr;
namespace ssl {
namespace tls {
class CertLookupTree;
} // namespace ssl
} // namespace tls
struct OCSPUpdateContext {
// ocsp response buffer
@ -198,7 +198,7 @@ private:
// Worker instance used when single threaded mode (-n1) is used.
// Otherwise, nullptr and workers_ has instances of Worker instead.
std::unique_ptr<Worker> single_worker_;
std::unique_ptr<ssl::CertLookupTree> cert_tree_;
std::unique_ptr<tls::CertLookupTree> cert_tree_;
std::unique_ptr<MemcachedDispatcher> tls_ticket_key_memcached_dispatcher_;
// Current TLS session ticket keys. Note that TLS connection does
// not refer to this field directly. They use TicketKeys object in

10
src/shrpx_http2_session.cc
View File

@ -39,7 +39,7 @@
#include "shrpx_error.h"
#include "shrpx_http2_downstream_connection.h"
#include "shrpx_client_handler.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_http.h"
#include "shrpx_worker.h"
#include "shrpx_connect_blocker.h"
@ -422,12 +422,12 @@ int Http2Session::initiate_connection() {
assert(ssl_ctx_);
if (state_ != RESOLVING_NAME) {
auto ssl = ssl::create_ssl(ssl_ctx_);
auto ssl = tls::create_ssl(ssl_ctx_);
if (!ssl) {
return -1;
}
ssl::setup_downstream_http2_alpn(ssl);
tls::setup_downstream_http2_alpn(ssl);
conn_.set_ssl(ssl);
conn_.tls.client_session_cache = &addr_->tls_session_cache;
@ -442,7 +442,7 @@ int Http2Session::initiate_connection() {
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
}
auto tls_session = ssl::reuse_tls_session(addr_->tls_session_cache);
auto tls_session = tls::reuse_tls_session(addr_->tls_session_cache);
if (tls_session) {
SSL_set_session(conn_.tls.ssl, tls_session);
SSL_SESSION_free(tls_session);
@ -2064,7 +2064,7 @@ int Http2Session::tls_handshake() {
}
if (!get_config()->tls.insecure &&
ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
downstream_failure(addr_, raddr_);
return -1;

10
src/shrpx_http_downstream_connection.cc
View File

@ -35,7 +35,7 @@
#include "shrpx_downstream_connection_pool.h"
#include "shrpx_worker.h"
#include "shrpx_http2_session.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_log.h"
#include "http2.h"
#include "util.h"
@ -423,12 +423,12 @@ int HttpDownstreamConnection::initiate_connection() {
if (addr_->tls) {
assert(ssl_ctx_);
auto ssl = ssl::create_ssl(ssl_ctx_);
auto ssl = tls::create_ssl(ssl_ctx_);
if (!ssl) {
return -1;
}
ssl::setup_downstream_http1_alpn(ssl);
tls::setup_downstream_http1_alpn(ssl);
conn_.set_ssl(ssl);
conn_.tls.client_session_cache = &addr_->tls_session_cache;
@ -439,7 +439,7 @@ int HttpDownstreamConnection::initiate_connection() {
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
}
auto session = ssl::reuse_tls_session(addr_->tls_session_cache);
auto session = tls::reuse_tls_session(addr_->tls_session_cache);
if (session) {
SSL_set_session(conn_.tls.ssl, session);
SSL_SESSION_free(session);
@ -1224,7 +1224,7 @@ int HttpDownstreamConnection::tls_handshake() {
}
if (!get_config()->tls.insecure &&
ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
downstream_failure(addr_, raddr_);
return -1;

12
src/shrpx_live_check.cc
View File

@ -25,7 +25,7 @@
#include "shrpx_live_check.h"
#include "shrpx_worker.h"
#include "shrpx_connect_blocker.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_log.h"
namespace shrpx {
@ -205,17 +205,17 @@ int LiveCheck::initiate_connection() {
if (!dns_query_ && addr_->tls) {
assert(ssl_ctx_);
auto ssl = ssl::create_ssl(ssl_ctx_);
auto ssl = tls::create_ssl(ssl_ctx_);
if (!ssl) {
return -1;
}
switch (addr_->proto) {
case PROTO_HTTP1:
ssl::setup_downstream_http1_alpn(ssl);
tls::setup_downstream_http1_alpn(ssl);
break;
case PROTO_HTTP2:
ssl::setup_downstream_http2_alpn(ssl);
tls::setup_downstream_http2_alpn(ssl);
break;
default:
assert(0);
@ -304,7 +304,7 @@ int LiveCheck::initiate_connection() {
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name.c_str());
}
auto session = ssl::reuse_tls_session(addr_->tls_session_cache);
auto session = tls::reuse_tls_session(addr_->tls_session_cache);
if (session) {
SSL_set_session(conn_.tls.ssl, session);
SSL_SESSION_free(session);
@ -397,7 +397,7 @@ int LiveCheck::tls_handshake() {
}
if (!get_config()->tls.insecure &&
ssl::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
tls::check_cert(conn_.tls.ssl, addr_, raddr_) != 0) {
return -1;
}

8
src/shrpx_memcached_connection.cc
View File

@ -32,7 +32,7 @@
#include "shrpx_memcached_request.h"
#include "shrpx_memcached_result.h"
#include "shrpx_config.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_log.h"
#include "util.h"
@ -150,7 +150,7 @@ int MemcachedConnection::initiate_connection() {
assert(conn_.fd == -1);
if (ssl_ctx_) {
auto ssl = ssl::create_ssl(ssl_ctx_);
auto ssl = tls::create_ssl(ssl_ctx_);
if (!ssl) {
return -1;
}
@ -184,7 +184,7 @@ int MemcachedConnection::initiate_connection() {
SSL_set_tlsext_host_name(conn_.tls.ssl, sni_name_.c_str());
}
auto session = ssl::reuse_tls_session(tls_session_cache_);
auto session = tls::reuse_tls_session(tls_session_cache_);
if (session) {
SSL_set_session(conn_.tls.ssl, session);
SSL_SESSION_free(session);
@ -276,7 +276,7 @@ int MemcachedConnection::tls_handshake() {
auto &tlsconf = get_config()->tls;
if (!tlsconf.insecure &&
ssl::check_cert(conn_.tls.ssl, addr_, sni_name_) != 0) {
tls::check_cert(conn_.tls.ssl, addr_, sni_name_) != 0) {
connect_blocker_.on_failure();
return -1;
}

4
src/shrpx_memcached_connection.h
View File

@ -33,7 +33,7 @@
#include <ev.h>
#include "shrpx_connection.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_connect_blocker.h"
#include "buffer.h"
#include "network.h"
@ -136,7 +136,7 @@ private:
std::deque<MemcachedSendbuf> sendbufv_;
std::function<int(MemcachedConnection &)> do_read_, do_write_;
StringRef sni_name_;
ssl::TLSSessionCache tls_session_cache_;
tls::TLSSessionCache tls_session_cache_;
ConnectBlocker connect_blocker_;
MemcachedParseState parse_state_;
const Address *addr_;

36
src/shrpx_ssl.cc → src/shrpx_tls.cc
View File

@ -22,7 +22,7 @@
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
@ -70,7 +70,7 @@ using namespace nghttp2;
namespace shrpx {
namespace ssl {
namespace tls {
#if !OPENSSL_1_1_API
namespace {
@ -1596,14 +1596,13 @@ setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
auto &tlsconf = config->tls;
auto ssl_ctx =
ssl::create_ssl_context(tlsconf.private_key_file.c_str(),
tlsconf.cert_file.c_str(), tlsconf.sct_data
auto ssl_ctx = create_ssl_context(tlsconf.private_key_file.c_str(),
tlsconf.cert_file.c_str(), tlsconf.sct_data
#ifdef HAVE_NEVERBLEED
,
nb
,
nb
#endif // HAVE_NEVERBLEED
);
);
all_ssl_ctx.push_back(ssl_ctx);
@ -1617,24 +1616,23 @@ setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
return ssl_ctx;
}
if (ssl::cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
-1) {
if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) {
LOG(FATAL) << "Failed to add default certificate.";
DIE();
}
for (auto &c : tlsconf.subcerts) {
auto ssl_ctx = ssl::create_ssl_context(c.private_key_file.c_str(),
c.cert_file.c_str(), c.sct_data
auto ssl_ctx = create_ssl_context(c.private_key_file.c_str(),
c.cert_file.c_str(), c.sct_data
#ifdef HAVE_NEVERBLEED
,
nb
,
nb
#endif // HAVE_NEVERBLEED
);
);
all_ssl_ctx.push_back(ssl_ctx);
if (ssl::cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx,
ssl_ctx) == -1) {
if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) ==
-1) {
LOG(FATAL) << "Failed to add sub certificate.";
DIE();
}
@ -1650,7 +1648,7 @@ SSL_CTX *setup_downstream_client_ssl_context(
) {
auto &tlsconf = get_config()->tls;
return ssl::create_ssl_client_context(
return create_ssl_client_context(
#ifdef HAVE_NEVERBLEED
nb,
#endif // HAVE_NEVERBLEED
@ -1737,6 +1735,6 @@ int proto_version_from_string(const StringRef &v) {
return -1;
}
} // namespace ssl
} // namespace tls
} // namespace shrpx

10
src/shrpx_ssl.h → src/shrpx_tls.h
View File

@ -22,8 +22,8 @@
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#ifndef SHRPX_SSL_H
#define SHRPX_SSL_H
#ifndef SHRPX_TLS_H
#define SHRPX_TLS_H
#include "shrpx.h"
@ -51,7 +51,7 @@ class DownstreamConnectionPool;
struct DownstreamAddr;
struct UpstreamAddr;
namespace ssl {
namespace tls {
struct TLSSessionCache {
// ASN1 representation of SSL_SESSION object. See
@ -264,8 +264,8 @@ X509 *load_certificate(const char *filename);
// TLS version string.
int proto_version_from_string(const StringRef &v);
} // namespace ssl
} // namespace tls
} // namespace shrpx
#endif // SHRPX_SSL_H
#endif // SHRPX_TLS_H

26
src/shrpx_ssl_test.cc → src/shrpx_tls_test.cc
View File

@ -22,11 +22,11 @@
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#include "shrpx_ssl_test.h"
#include "shrpx_tls_test.h"
#include <CUnit/CUnit.h>
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_log.h"
#include "util.h"
#include "template.h"
@ -35,8 +35,8 @@ using namespace nghttp2;
namespace shrpx {
void test_shrpx_ssl_create_lookup_tree(void) {
auto tree = make_unique<ssl::CertLookupTree>();
void test_shrpx_tls_create_lookup_tree(void) {
auto tree = make_unique<tls::CertLookupTree>();
constexpr StringRef hostnames[] = {
StringRef::from_lit("example.com"), // 0
@ -85,7 +85,7 @@ void test_shrpx_ssl_create_lookup_tree(void) {
};
num = array_size(names);
tree = make_unique<ssl::CertLookupTree>();
tree = make_unique<tls::CertLookupTree>();
for (size_t idx = 0; idx < num; ++idx) {
tree->add_cert(names[idx], idx);
}
@ -116,13 +116,13 @@ void test_shrpx_ssl_create_lookup_tree(void) {
// -config=ca-config.json -profile=server test.example.com.csr |
// cfssljson -bare test.example.com
//
void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) {
void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void) {
int rv;
constexpr char nghttp2_certfile[] = NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
auto nghttp2_ssl_ctx = SSL_CTX_new(SSLv23_server_method());
auto nghttp2_ssl_ctx_del = defer(SSL_CTX_free, nghttp2_ssl_ctx);
auto nghttp2_tls_ctx_data = make_unique<ssl::TLSContextData>();
auto nghttp2_tls_ctx_data = make_unique<tls::TLSContextData>();
nghttp2_tls_ctx_data->cert_file = nghttp2_certfile;
SSL_CTX_set_app_data(nghttp2_ssl_ctx, nghttp2_tls_ctx_data.get());
rv = SSL_CTX_use_certificate_chain_file(nghttp2_ssl_ctx, nghttp2_certfile);
@ -132,22 +132,22 @@ void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) {
constexpr char examples_certfile[] = NGHTTP2_SRC_DIR "/test.example.com.pem";
auto examples_ssl_ctx = SSL_CTX_new(SSLv23_server_method());
auto examples_ssl_ctx_del = defer(SSL_CTX_free, examples_ssl_ctx);
auto examples_tls_ctx_data = make_unique<ssl::TLSContextData>();
auto examples_tls_ctx_data = make_unique<tls::TLSContextData>();
examples_tls_ctx_data->cert_file = examples_certfile;
SSL_CTX_set_app_data(examples_ssl_ctx, examples_tls_ctx_data.get());
rv = SSL_CTX_use_certificate_chain_file(examples_ssl_ctx, examples_certfile);
CU_ASSERT(1 == rv);
ssl::CertLookupTree tree;
tls::CertLookupTree tree;
std::vector<std::vector<SSL_CTX *>> indexed_ssl_ctx;
rv = ssl::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
nghttp2_ssl_ctx);
CU_ASSERT(0 == rv);
rv = ssl::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
examples_ssl_ctx);
CU_ASSERT(0 == rv);
@ -162,10 +162,10 @@ void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void) {
template <size_t N, size_t M>
bool tls_hostname_match_wrapper(const char (&pattern)[N],
const char (&hostname)[M]) {
return ssl::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M});
return tls::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M});
}
void test_shrpx_ssl_tls_hostname_match(void) {
void test_shrpx_tls_tls_hostname_match(void) {
CU_ASSERT(tls_hostname_match_wrapper("example.com", "example.com"));
CU_ASSERT(tls_hostname_match_wrapper("example.com", "EXAMPLE.com"));

12
src/shrpx_ssl_test.h → src/shrpx_tls_test.h
View File

@ -22,8 +22,8 @@
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#ifndef SHRPX_SSL_TEST_H
#define SHRPX_SSL_TEST_H
#ifndef SHRPX_TLS_TEST_H
#define SHRPX_TLS_TEST_H
#ifdef HAVE_CONFIG_H
#include <config.h>
@ -31,10 +31,10 @@
namespace shrpx {
void test_shrpx_ssl_create_lookup_tree(void);
void test_shrpx_ssl_cert_lookup_tree_add_ssl_ctx(void);
void test_shrpx_ssl_tls_hostname_match(void);
void test_shrpx_tls_create_lookup_tree(void);
void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void);
void test_shrpx_tls_tls_hostname_match(void);
} // namespace shrpx
#endif // SHRPX_SSL_TEST_H
#endif // SHRPX_TLS_TEST_H

8
src/shrpx_worker.cc
View File

@ -30,7 +30,7 @@
#include <memory>
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_log.h"
#include "shrpx_client_handler.h"
#include "shrpx_http2_session.h"
@ -111,7 +111,7 @@ bool match_shared_downstream_addr(
Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
ssl::CertLookupTree *cert_tree,
tls::CertLookupTree *cert_tree,
const std::shared_ptr<TicketKeys> &ticket_keys,
ConnectionHandler *conn_handler,
std::shared_ptr<DownstreamConfig> downstreamconf)
@ -368,7 +368,7 @@ void Worker::process_events() {
}
auto client_handler =
ssl::accept_connection(this, wev.client_fd, &wev.client_addr.sa,
tls::accept_connection(this, wev.client_fd, &wev.client_addr.sa,
wev.client_addrlen, wev.faddr);
if (!client_handler) {
if (LOG_ENABLED(INFO)) {
@ -416,7 +416,7 @@ void Worker::process_events() {
}
}
ssl::CertLookupTree *Worker::get_cert_lookup_tree() const { return cert_tree_; }
tls::CertLookupTree *Worker::get_cert_lookup_tree() const { return cert_tree_; }
std::shared_ptr<TicketKeys> Worker::get_ticket_keys() {
#ifdef HAVE_ATOMIC_STD_SHARED_PTR

14
src/shrpx_worker.h
View File

@ -45,7 +45,7 @@
#include "shrpx_config.h"
#include "shrpx_downstream_connection_pool.h"
#include "memchunk.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_live_check.h"
#include "shrpx_connect_blocker.h"
#include "shrpx_dns_tracker.h"
@ -69,9 +69,9 @@ class MRubyContext;
} // namespace mruby
#endif // HAVE_MRUBY
namespace ssl {
namespace tls {
class CertLookupTree;
} // namespace ssl
} // namespace tls
struct DownstreamAddr {
Address addr;
@ -95,7 +95,7 @@ struct DownstreamAddr {
size_t fall;
size_t rise;
// Client side TLS session cache
ssl::TLSSessionCache tls_session_cache;
tls::TLSSessionCache tls_session_cache;
// Http2Session object created for this address. This list chains
// all Http2Session objects that is not in group scope
// http2_avail_freelist, and is not reached in maximum concurrency.
@ -220,7 +220,7 @@ class Worker {
public:
Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
ssl::CertLookupTree *cert_tree,
tls::CertLookupTree *cert_tree,
const std::shared_ptr<TicketKeys> &ticket_keys,
ConnectionHandler *conn_handler,
std::shared_ptr<DownstreamConfig> downstreamconf);
@ -230,7 +230,7 @@ public:
void process_events();
void send(const WorkerEvent &event);
ssl::CertLookupTree *get_cert_lookup_tree() const;
tls::CertLookupTree *get_cert_lookup_tree() const;
// These 2 functions make a lock m_ to get/set ticket keys
// atomically.
@ -297,7 +297,7 @@ private:
// get_config()->tls_ctx_per_worker == true.
SSL_CTX *sv_ssl_ctx_;
SSL_CTX *cl_ssl_ctx_;
ssl::CertLookupTree *cert_tree_;
tls::CertLookupTree *cert_tree_;
ConnectionHandler *conn_handler_;
#ifndef HAVE_ATOMIC_STD_SHARED_PTR

6
src/shrpx_worker_process.cc
View File

@ -51,7 +51,7 @@
#include "shrpx_memcached_dispatcher.h"
#include "shrpx_memcached_request.h"
#include "shrpx_process.h"
#include "shrpx_ssl.h"
#include "shrpx_tls.h"
#include "shrpx_log.h"
#include "util.h"
#include "app_helper.h"
@ -448,7 +448,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
MemchunkPool mcpool;
ev_timer renew_ticket_key_timer;
if (ssl::upstream_tls_enabled(config->conn)) {
if (tls::upstream_tls_enabled(config->conn)) {
auto &ticketconf = config->tls.ticket;
auto &memcachedconf = ticketconf.memcached;
@ -547,7 +547,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
ipcev.data = &conn_handler;
ev_io_start(loop, &ipcev);
if (ssl::upstream_tls_enabled(config->conn) && !config->tls.ocsp.disabled) {
if (tls::upstream_tls_enabled(config->conn) && !config->tls.ocsp.disabled) {
conn_handler.proceed_next_cert_ocsp();
}