nghttpx: Use std::vector for tls_proto_list and npn_list

Now SSL/TLS option mask to disable particular SSL/TLS protocol versions are pre-calculated and stored in Config.
2014-06-08 22:52:27 +09:00 · 2014-06-08 22:52:27 +09:00 · 0fd5b2aa32
parent 1f58be423d
commit 0fd5b2aa32
7 changed files with 102 additions and 86 deletions
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -435,7 +435,6 @@ void fill_default_config()
  mod_config()->worker_read_burst = 0;
  mod_config()->worker_write_rate = 0;
  mod_config()->worker_write_burst = 0;
  mod_config()->npn_list = nullptr;
  mod_config()->verify_client = false;
  mod_config()->verify_client_cacert = nullptr;
  mod_config()->client_private_key_file = nullptr;
@ -452,6 +451,8 @@ void fill_default_config()
    (mod_config()->http2_option, 1);
  nghttp2_option_set_no_auto_connection_window_update
    (mod_config()->http2_option, 1);
  mod_config()->tls_proto_mask = 0;
 }
 } // namespace
@ -1188,15 +1189,17 @@ int main(int argc, char **argv)
    }
  }
-  if(!get_config()->npn_list) {
+  if(get_config()->npn_list.empty()) {
-    mod_config()->npn_list = parse_config_str_list(&mod_config()->npn_list_len,
+    mod_config()->npn_list = parse_config_str_list(DEFAULT_NPN_LIST);
                                                   DEFAULT_NPN_LIST).release();
  }
-  if(!get_config()->tls_proto_list) {
+  if(get_config()->tls_proto_list.empty()) {
    mod_config()->tls_proto_list = parse_config_str_list
-      (&mod_config()->tls_proto_list_len, DEFAULT_TLS_PROTO_LIST).release();
+      (DEFAULT_TLS_PROTO_LIST);
  }
  mod_config()->tls_proto_mask =
    ssl::create_tls_proto_mask(get_config()->tls_proto_list);
  if(!get_config()->subcerts.empty()) {
    mod_config()->cert_tree = ssl::cert_lookup_tree_new();
  }
--- a/src/shrpx_client_handler.cc
+++ b/src/shrpx_client_handler.cc
@ -384,7 +384,6 @@ int ClientHandler::validate_next_proto()
        CLOG(INFO, this) << "The negotiated next protocol: " << proto;
      }
      if(!ssl::in_proto_list(get_config()->npn_list,
                             get_config()->npn_list_len,
                             next_proto, next_proto_len)) {
        break;
      }
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@ -238,12 +238,12 @@ std::unique_ptr<char[]> strcopy(const std::string& val)
  return res;
 }
-std::unique_ptr<char*[]> parse_config_str_list(size_t *outlen, const char *s)
+std::vector<char*> parse_config_str_list(const char *s)
 {
  size_t len = 1;
  for(const char *first = s, *p = nullptr; (p = strchr(first, ','));
      ++len, first = p + 1);
-  auto list = util::make_unique<char*[]>(len);
+  auto list = std::vector<char*>(len);
  auto first = strdup(s);
  len = 0;
  for(;;) {
@ -256,10 +256,20 @@ std::unique_ptr<char*[]> parse_config_str_list(size_t *outlen, const char *s)
    first = p + 1;
  }
  list[len++] = first;
-  *outlen = len;
+
  return list;
 }
 void clear_config_str_list(std::vector<char*>& list)
 {
  if(list.empty()) {
    return;
  }
  free(list[0]);
  list.clear();
 }
 std::pair<std::string, std::string> parse_header(const char *optarg)
 {
  // We skip possible ":" at the start of optarg.
@ -490,13 +500,13 @@ int parse_config(const char *opt, const char *optarg)
  } else if(util::strieq(opt, SHRPX_OPT_WORKER_WRITE_BURST)) {
    mod_config()->worker_write_burst = strtoul(optarg, nullptr, 10);
  } else if(util::strieq(opt, SHRPX_OPT_NPN_LIST)) {
-    delete [] mod_config()->npn_list;
+    clear_config_str_list(mod_config()->npn_list);
-    mod_config()->npn_list = parse_config_str_list(&mod_config()->npn_list_len,
+
-                                                   optarg).release();
+    mod_config()->npn_list = parse_config_str_list(optarg);
  } else if(util::strieq(opt, SHRPX_OPT_TLS_PROTO_LIST)) {
-    delete [] mod_config()->tls_proto_list;
+    clear_config_str_list(mod_config()->tls_proto_list);
-    mod_config()->tls_proto_list = parse_config_str_list
+
-      (&mod_config()->tls_proto_list_len, optarg).release();
+    mod_config()->tls_proto_list = parse_config_str_list(optarg);
  } else if(util::strieq(opt, SHRPX_OPT_VERIFY_CLIENT)) {
    mod_config()->verify_client = util::strieq(optarg, "yes");
  } else if(util::strieq(opt, SHRPX_OPT_VERIFY_CLIENT_CACERT)) {
@ -524,17 +534,15 @@ int parse_config(const char *opt, const char *optarg)
  } else if(util::strieq(opt, SHRPX_OPT_PADDING)) {
    mod_config()->padding = strtoul(optarg, nullptr, 10);
  } else if(util::strieq(opt, SHRPX_OPT_ALTSVC)) {
-    size_t len;
+    auto tokens = parse_config_str_list(optarg);
-    auto tokens = parse_config_str_list(&len, optarg);
+    if(tokens.size() < 2) {
    if(len < 2) {
      // Requires at least protocol_id and port
      LOG(ERROR) << "altsvc: too few parameters: " << optarg;
      return -1;
    }
-    if(len > 4) {
+    if(tokens.size() > 4) {
      // We only need protocol_id, port, host and origin
      LOG(ERROR) << "altsvc: too many parameters: " << optarg;
      return -1;
@ -555,11 +563,11 @@ int parse_config(const char *opt, const char *optarg)
    altsvc.protocol_id = tokens[0];
    altsvc.protocol_id_len = strlen(altsvc.protocol_id);
-    if(len > 2) {
+    if(tokens.size() > 2) {
      altsvc.host = tokens[2];
      altsvc.host_len = strlen(altsvc.host);
-      if(len > 3) {
+      if(tokens.size() > 3) {
        altsvc.origin = tokens[3];
        altsvc.origin_len = strlen(altsvc.origin);
      }
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@ -188,10 +188,10 @@ struct Config {
  // list of supported NPN/ALPN protocol strings in the order of
  // preference. The each element of this list is a NULL-terminated
  // string.
-  char **npn_list;
+  std::vector<char*> npn_list;
  // list of supported SSL/TLS protocol strings. The each element of
  // this list is a NULL-terminated string.
-  char **tls_proto_list;
+  std::vector<char*> tls_proto_list;
  // Path to file containing CA certificate solely used for client
  // certificate validation
  std::unique_ptr<char[]> verify_client_cacert;
@ -217,11 +217,10 @@ struct Config {
  size_t worker_read_burst;
  size_t worker_write_rate;
  size_t worker_write_burst;
  // The number of elements in npn_list
  size_t npn_list_len;
  // The number of elements in tls_proto_list
  size_t tls_proto_list_len;
  size_t padding;
  // Bit mask to disable SSL/TLS protocol versions.  This will be
  // passed to SSL_CTX_set_options().
  long int tls_proto_mask;
  // downstream protocol; this will be determined by given options.
  shrpx_proto downstream_proto;
  int syslog_facility;
@ -278,14 +277,18 @@ std::string read_passwd_from_file(const char *filename);
 // Parses comma delimited strings in |s| and returns the array of
 // pointers, each element points to the each substring in |s|.  The
-// number of elements are stored in |*outlen|.  The |s| must be comma
+// |s| must be comma delimited list of strings.  The strings must be
-// delimited list of strings.  The strings must be delimited by a
+// delimited by a single comma and any white spaces around it are
-// single comma and any white spaces around it are treated as a part
+// treated as a part of protocol strings.  This function may modify
-// of protocol strings.  This function may modify |s| and the caller
+// |s| and the caller must leave it as is after this call.  This
-// must leave it as is after this call.  This function copies |s| and
+// function copies |s| and first element in the return value points to
-// first element in the return value points to it.  It is caller's
+// it.  It is caller's responsibility to deallocate its memory.
-// responsibility to deallocate its memory.
+std::vector<char*> parse_config_str_list(const char *s);
-std::unique_ptr<char*[]> parse_config_str_list(size_t *outlen, const char *s);
+
 // Clears all elements of |list|, which is returned by
 // parse_config_str_list().  If list is not empty, list[0] is freed by
 // free(2).  After this call, list.empty() must be true.
 void clear_config_str_list(std::vector<char*>& list);
 // Parses header field in |optarg|.  We expect header field is formed
 // like "NAME: VALUE".  We require that NAME is non empty string.  ":"
--- a/src/shrpx_config_test.cc
+++ b/src/shrpx_config_test.cc
@ -32,32 +32,36 @@ namespace shrpx {
 void test_shrpx_config_parse_config_str_list(void)
 {
-  size_t outlen;
+  auto res = parse_config_str_list("a");
-  auto res = parse_config_str_list(&outlen, "a");
+  CU_ASSERT(1 == res.size());
  CU_ASSERT(1 == outlen);
  CU_ASSERT(0 == strcmp("a", res[0]));
  clear_config_str_list(res);
-  res = parse_config_str_list(&outlen, "a,");
+  res = parse_config_str_list("a,");
-  CU_ASSERT(2 == outlen);
+  CU_ASSERT(2 == res.size());
  CU_ASSERT(0 == strcmp("a", res[0]));
  CU_ASSERT(0 == strcmp("", res[1]));
  clear_config_str_list(res);
-  res = parse_config_str_list(&outlen, ",a,,");
+  res = parse_config_str_list(",a,,");
-  CU_ASSERT(4 == outlen);
+  CU_ASSERT(4 == res.size());
  CU_ASSERT(0 == strcmp("", res[0]));
  CU_ASSERT(0 == strcmp("a", res[1]));
  CU_ASSERT(0 == strcmp("", res[2]));
  CU_ASSERT(0 == strcmp("", res[3]));
  clear_config_str_list(res);
-  res = parse_config_str_list(&outlen, "");
+  res = parse_config_str_list("");
-  CU_ASSERT(1 == outlen);
+  CU_ASSERT(1 == res.size());
  CU_ASSERT(0 == strcmp("", res[0]));
  clear_config_str_list(res);
-  res = parse_config_str_list(&outlen, "alpha,bravo,charlie");
+  res = parse_config_str_list("alpha,bravo,charlie");
-  CU_ASSERT(3 == outlen);
+  CU_ASSERT(3 == res.size());
  CU_ASSERT(0 == strcmp("alpha", res[0]));
  CU_ASSERT(0 == strcmp("bravo", res[1]));
  CU_ASSERT(0 == strcmp("charlie", res[2]));
  clear_config_str_list(res);
 }
 void test_shrpx_config_parse_header(void)
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@ -88,14 +88,14 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 } // namespace
 namespace {
-size_t set_npn_prefs(unsigned char *out, char **protos, size_t len)
+size_t set_npn_prefs(unsigned char *out, const std::vector<char*>& protos)
 {
  unsigned char *ptr = out;
  size_t listlen = 0;
-  for(size_t i = 0; i < len; ++i) {
+  for(auto proto : protos) {
-    size_t plen = strlen(protos[i]);
+    auto plen = strlen(proto);
    *ptr = plen;
-    memcpy(ptr+1, protos[i], *ptr);
+    memcpy(ptr+1, proto, *ptr);
    ptr += *ptr+1;
    listlen += 1 + plen;
  }
@ -166,11 +166,7 @@ int alpn_select_proto_cb(SSL* ssl,
  // We assume that get_config()->npn_list contains ALPN protocol
  // identifier sorted by preference order.  So we just break when we
  // found the first overlap.
-  for(auto needle_ptr = get_config()->npn_list,
+  for(auto target_proto_id : get_config()->npn_list) {
        end_needle_ptr = needle_ptr + get_config()->npn_list_len;
      needle_ptr < end_needle_ptr; ++needle_ptr) {
    auto target_proto_id = *needle_ptr;
    auto target_proto_len =
      strlen(reinterpret_cast<const char*>(target_proto_id));
@ -206,27 +202,29 @@ int alpn_select_proto_cb(SSL* ssl,
 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 namespace {
-const char *names[] = { "TLSv1.2", "TLSv1.1", "TLSv1.0", "SSLv3" };
+const char *tls_names[] = { "TLSv1.2", "TLSv1.1", "TLSv1.0", "SSLv3" };
-const size_t namelen = sizeof(names)/sizeof(names[0]);
+const size_t tls_namelen = sizeof(tls_names)/sizeof(tls_names[0]);
-const long int masks[] = { SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_1,
+const long int tls_masks[] = { SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_1,
                               SSL_OP_NO_TLSv1, SSL_OP_NO_SSLv3 };
-long int create_tls_proto_mask(char **tls_proto_list, size_t len)
+} // namespace
 long int create_tls_proto_mask(const std::vector<char*>& tls_proto_list)
 {
  long int res = 0;
-  for(size_t i = 0; i < namelen; ++i) {
+
  for(size_t i = 0; i < tls_namelen; ++i) {
    size_t j;
-    for(j = 0; j < len; ++j) {
+    for(j = 0; j < tls_proto_list.size(); ++j) {
-      if(strcasecmp(names[i], tls_proto_list[j]) == 0) {
+      if(util::strieq(tls_names[i], tls_proto_list[j])) {
        break;
      }
    }
-    if(j == len) {
+    if(j == tls_proto_list.size()) {
-      res |= masks[i];
+      res |= tls_masks[i];
    }
  }
  return res;
 }
 } // namespace
 SSL_CTX* create_ssl_context(const char *private_key_file,
                            const char *cert_file)
@ -243,8 +241,7 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
                      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
                      SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
                      SSL_OP_NO_TICKET |
-                      create_tls_proto_mask(get_config()->tls_proto_list,
+                      get_config()->tls_proto_mask);
                                            get_config()->tls_proto_list_len));
  const unsigned char sid_ctx[] = "shrpx";
  SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1);
@ -364,8 +361,8 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
  SSL_CTX_set_info_callback(ssl_ctx, info_callback);
  // NPN advertisement
-  auto proto_list_len = set_npn_prefs(proto_list, get_config()->npn_list,
+  auto proto_list_len = set_npn_prefs(proto_list, get_config()->npn_list);
-                                      get_config()->npn_list_len);
+
  next_proto.first = proto_list;
  next_proto.second = proto_list_len;
  SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, &next_proto);
@ -401,8 +398,7 @@ SSL_CTX* create_ssl_client_context()
  SSL_CTX_set_options(ssl_ctx,
                      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
                      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
-                      create_tls_proto_mask(get_config()->tls_proto_list,
+                      get_config()->tls_proto_mask);
                                            get_config()->tls_proto_list_len));
  const char *ciphers;
  if(get_config()->ciphers) {
@ -461,8 +457,8 @@ SSL_CTX* create_ssl_client_context()
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
  // ALPN advertisement
-  auto proto_list_len = set_npn_prefs(proto_list, get_config()->npn_list,
+  auto proto_list_len = set_npn_prefs(proto_list, get_config()->npn_list);
-                                      get_config()->npn_list_len);
+
  next_proto.first = proto_list;
  next_proto.second = proto_list_len;
  SSL_CTX_set_alpn_protos(ssl_ctx, proto_list, proto_list[0] + 1);
@ -900,12 +896,11 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
  return 0;
 }
-bool in_proto_list(char **protos, size_t len,
+bool in_proto_list(const std::vector<char*>& protos,
-                   const unsigned char *proto, size_t protolen)
+                   const unsigned char *needle, size_t len)
 {
-  for(size_t i = 0; i < len; ++i) {
+  for(auto proto : protos) {
-    if(strlen(protos[i]) == protolen &&
+    if(strlen(proto) == len && memcmp(proto, needle, len) == 0) {
       memcmp(protos[i], proto, protolen) == 0) {
      return true;
    }
  }
--- a/src/shrpx_ssl.h
+++ b/src/shrpx_ssl.h
@ -123,15 +123,19 @@ SSL_CTX* cert_lookup_tree_lookup(CertLookupTree *lt, const char *hostname,
 int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
                                        const char *certfile);
-// Returns true if |proto| which has |protolen| bytes is included in
+// Returns true if |needle| which has |len| bytes is included in the
-// the protocol list |protos|, which has |len| elements. The format of
+// protocol list |protos|.
-// the |protos| is the one used in Config::npn_list.
+bool in_proto_list(const std::vector<char*>& protos,
-bool in_proto_list(char **protos, size_t len,
+                   const unsigned char *needle, size_t len);
                   const unsigned char *proto, size_t protolen);
 // Returns true if security requirement for HTTP/2 is fulfilled.
 bool check_http2_requirement(SSL *ssl);
 // Returns SSL/TLS option mask to disable SSL/TLS protocol version not
 // included in |tls_proto_list|.  The returned mask can be directly
 // passed to SSL_CTX_set_options().
 long int create_tls_proto_mask(const std::vector<char*>& tls_proto_list);
 } // namespace ssl
 } // namespace shrpx