walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

shrxp_ssl.cc: Code cleanup

This commit is contained in:
Tatsuhiro Tsujikawa 2013-09-23 18:40:17 +09:00
parent 665e2a0744
commit bd55f9cf2a
1 changed files with 48 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
src/shrpx_ssl.cc
View File

@ -62,8 +62,8 @@ namespace {
int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
void *arg) void *arg)
{ {
std::pair<unsigned char*, size_t> *next_proto = auto next_proto =
reinterpret_cast<std::pair<unsigned char*, size_t>* >(arg); reinterpret_cast<std::pair<unsigned char*, size_t>*>(arg);
*data = next_proto->first; *data = next_proto->first;
*len = next_proto->second; *len = next_proto->second;
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
@ -98,7 +98,7 @@ size_t set_npn_prefs(unsigned char *out, const char **protos, size_t len)
namespace { namespace {
int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data) int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data)
{ {
Config *config = (Config *)user_data; auto config = reinterpret_cast<Config*>(user_data);
int len = (int)strlen(config->private_key_passwd); int len = (int)strlen(config->private_key_passwd);
if (size < len + 1) { if (size < len + 1) {
LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size; LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size;
@ -116,8 +116,8 @@ int servername_callback(SSL *ssl, int *al, void *arg)
if(get_config()->cert_tree) { if(get_config()->cert_tree) {
const char *hostname = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); const char *hostname = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if(hostname) { if(hostname) {
SSL_CTX *ssl_ctx = cert_lookup_tree_lookup(get_config()->cert_tree, auto ssl_ctx = cert_lookup_tree_lookup(get_config()->cert_tree,
hostname, strlen(hostname)); hostname, strlen(hostname));
if(ssl_ctx) { if(ssl_ctx) {
SSL_set_SSL_CTX(ssl, ssl_ctx); SSL_set_SSL_CTX(ssl, ssl_ctx);
} }
@ -309,7 +309,7 @@ ClientHandler* accept_connection(event_base *evbase, SSL_CTX *ssl_ctx,
LOG(WARNING) << "Setting option TCP_NODELAY failed: errno=" LOG(WARNING) << "Setting option TCP_NODELAY failed: errno="
<< errno; << errno;
} }
SSL *ssl = 0; SSL *ssl = nullptr;
bufferevent *bev; bufferevent *bev;
if(ssl_ctx) { if(ssl_ctx) {
ssl = SSL_new(ssl_ctx); ssl = SSL_new(ssl_ctx);
@ -324,8 +324,7 @@ ClientHandler* accept_connection(event_base *evbase, SSL_CTX *ssl_ctx,
} else { } else {
bev = bufferevent_socket_new(evbase, fd, BEV_OPT_DEFER_CALLBACKS); bev = bufferevent_socket_new(evbase, fd, BEV_OPT_DEFER_CALLBACKS);
} }
ClientHandler *client_handler = new ClientHandler(bev, fd, ssl, host); return new ClientHandler(bev, fd, ssl, host);
return client_handler;
} else { } else {
LOG(ERROR) << "getnameinfo() failed: " << gai_strerror(rv); LOG(ERROR) << "getnameinfo() failed: " << gai_strerror(rv);
return 0; return 0;
@ -350,7 +349,7 @@ namespace {
bool tls_hostname_match(const char *pattern, const char *hostname) bool tls_hostname_match(const char *pattern, const char *hostname)
{ {
const char *ptWildcard = strchr(pattern, '*'); const char *ptWildcard = strchr(pattern, '*');
if(ptWildcard == 0) { if(ptWildcard == nullptr) {
return util::strieq(pattern, hostname); return util::strieq(pattern, hostname);
} }
const char *ptLeftLabelEnd = strchr(pattern, '.'); const char *ptLeftLabelEnd = strchr(pattern, '.');
@ -490,7 +489,7 @@ void get_altnames(X509 *cert,
int check_cert(SSL *ssl) int check_cert(SSL *ssl)
{ {
X509 *cert = SSL_get_peer_certificate(ssl); auto cert = SSL_get_peer_certificate(ssl);
if(!cert) { if(!cert) {
LOG(ERROR) << "No certificate found"; LOG(ERROR) << "No certificate found";
return -1; return -1;
@ -555,8 +554,8 @@ void teardown_ssl_lock()
CertLookupTree* cert_lookup_tree_new() CertLookupTree* cert_lookup_tree_new()
{ {
CertLookupTree *tree = new CertLookupTree(); auto tree = new CertLookupTree();
CertNode *root = new CertNode(); auto root = new CertNode();
root->ssl_ctx = 0; root->ssl_ctx = 0;
root->str = 0; root->str = 0;
root->first = root->last = 0; root->first = root->last = 0;
@ -567,9 +566,8 @@ CertLookupTree* cert_lookup_tree_new()
namespace { namespace {
void cert_node_del(CertNode *node) void cert_node_del(CertNode *node)
{ {
for(std::vector<CertNode*>::iterator i = node->next.begin(), for(auto& a : node->next) {
eoi = node->next.end(); i != eoi; ++i) { cert_node_del(a);
cert_node_del(*i);
} }
delete node; delete node;
} }
@ -578,9 +576,8 @@ void cert_node_del(CertNode *node)
void cert_lookup_tree_del(CertLookupTree *lt) void cert_lookup_tree_del(CertLookupTree *lt)
{ {
cert_node_del(lt->root); cert_node_del(lt->root);
for(std::vector<char*>::iterator i = lt->hosts.begin(), for(auto& s : lt->hosts) {
eoi = lt->hosts.end(); i != eoi; ++i) { delete [] s;
delete [] *i;
} }
delete lt; delete lt;
} }
@ -594,7 +591,7 @@ void cert_lookup_tree_add_cert(CertLookupTree *lt, CertNode *node,
{ {
int i, next_len = node->next.size(); int i, next_len = node->next.size();
char c = hostname[offset]; char c = hostname[offset];
CertNode *cn = 0; CertNode *cn = nullptr;
for(i = 0; i < next_len; ++i) { for(i = 0; i < next_len; ++i) {
cn = node->next[i]; cn = node->next[i];
if(cn->str[cn->first] == c) { if(cn->str[cn->first] == c) {
@ -611,7 +608,7 @@ void cert_lookup_tree_add_cert(CertLookupTree *lt, CertNode *node,
node->wildcard_certs.push_back(std::make_pair(hostname, ssl_ctx)); node->wildcard_certs.push_back(std::make_pair(hostname, ssl_ctx));
} else { } else {
int j; int j;
CertNode *new_node = new CertNode(); auto new_node = new CertNode();
new_node->str = hostname; new_node->str = hostname;
new_node->first = offset; new_node->first = offset;
// If wildcard is found, set the region before it because we // If wildcard is found, set the region before it because we
@ -621,7 +618,7 @@ void cert_lookup_tree_add_cert(CertLookupTree *lt, CertNode *node,
if(j == -1) { if(j == -1) {
new_node->ssl_ctx = ssl_ctx; new_node->ssl_ctx = ssl_ctx;
} else { } else {
new_node->ssl_ctx = 0; new_node->ssl_ctx = nullptr;
new_node->wildcard_certs.push_back(std::make_pair(hostname, ssl_ctx)); new_node->wildcard_certs.push_back(std::make_pair(hostname, ssl_ctx));
} }
node->next.push_back(new_node); node->next.push_back(new_node);
@ -643,7 +640,7 @@ void cert_lookup_tree_add_cert(CertLookupTree *lt, CertNode *node,
cert_lookup_tree_add_cert(lt, cn, ssl_ctx, hostname, len, j); cert_lookup_tree_add_cert(lt, cn, ssl_ctx, hostname, len, j);
} }
} else { } else {
CertNode *new_node = new CertNode(); auto new_node = new CertNode();
new_node->ssl_ctx = cn->ssl_ctx; new_node->ssl_ctx = cn->ssl_ctx;
new_node->str = cn->str; new_node->str = cn->str;
new_node->first = i; new_node->first = i;
@ -659,7 +656,7 @@ void cert_lookup_tree_add_cert(CertLookupTree *lt, CertNode *node,
cn->ssl_ctx = ssl_ctx; cn->ssl_ctx = ssl_ctx;
} else { } else {
// This hostname and existing one share suffix. // This hostname and existing one share suffix.
cn->ssl_ctx = 0; cn->ssl_ctx = nullptr;
cert_lookup_tree_add_cert(lt, cn, ssl_ctx, hostname, len, j); cert_lookup_tree_add_cert(lt, cn, ssl_ctx, hostname, len, j);
} }
} }
@ -690,36 +687,31 @@ SSL_CTX* cert_lookup_tree_lookup(CertLookupTree *lt, CertNode *node,
int i, j; int i, j;
for(i = node->first, j = offset; i > node->last && j >= 0 && for(i = node->first, j = offset; i > node->last && j >= 0 &&
node->str[i] == util::lowcase(hostname[j]); --i, --j); node->str[i] == util::lowcase(hostname[j]); --i, --j);
if(i == node->last) { if(i != node->last) {
if(j == -1) { return nullptr;
if(node->ssl_ctx) {
// exact match
return node->ssl_ctx;
} else {
// Do not perform wildcard-match because '*' must match at least
// one character.
return 0;
}
} else {
for(std::vector<std::pair<char*, SSL_CTX*> >::iterator i =
node->wildcard_certs.begin(), eoi = node->wildcard_certs.end();
i != eoi; ++i) {
if(tls_hostname_match((*i).first, hostname)) {
return (*i).second;
}
}
char c = util::lowcase(hostname[j]);
for(std::vector<CertNode*>::iterator i = node->next.begin(),
eoi = node->next.end(); i != eoi; ++i) {
if((*i)->str[(*i)->first] == c) {
return cert_lookup_tree_lookup(lt, *i, hostname, len, j);
}
}
return 0;
}
} else {
return 0;
} }
if(j == -1) {
if(node->ssl_ctx) {
// exact match
return node->ssl_ctx;
} else {
// Do not perform wildcard-match because '*' must match at least
// one character.
return nullptr;
}
}
for(auto& wildcert : node->wildcard_certs) {
if(tls_hostname_match(wildcert.first, hostname)) {
return wildcert.second;
}
}
char c = util::lowcase(hostname[j]);
for(auto& next_node : node->next) {
if(next_node->str[next_node->first] == c) {
return cert_lookup_tree_lookup(lt, next_node, hostname, len, j);
}
}
return nullptr;
} }
} // namespace } // namespace
@ -733,7 +725,7 @@ SSL_CTX* cert_lookup_tree_lookup(CertLookupTree *lt,
int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx, int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
const char *certfile) const char *certfile)
{ {
BIO *bio = BIO_new(BIO_s_file()); auto bio = BIO_new(BIO_s_file());
if(!bio) { if(!bio) {
LOG(ERROR) << "BIO_new failed"; LOG(ERROR) << "BIO_new failed";
return -1; return -1;
@ -743,7 +735,7 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
LOG(ERROR) << "Could not read certificate file '" << certfile << "'"; LOG(ERROR) << "Could not read certificate file '" << certfile << "'";
return -1; return -1;
} }
X509 *cert = PEM_read_bio_X509(bio, 0, 0, 0); auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
if(!cert) { if(!cert) {
LOG(ERROR) << "Could not read X509 structure from file '" LOG(ERROR) << "Could not read X509 structure from file '"
<< certfile << "'"; << certfile << "'";
@ -754,9 +746,8 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
std::vector<std::string> dns_names; std::vector<std::string> dns_names;
std::vector<std::string> ip_addrs; std::vector<std::string> ip_addrs;
get_altnames(cert, dns_names, ip_addrs, common_name); get_altnames(cert, dns_names, ip_addrs, common_name);
for(std::vector<std::string>::iterator i = dns_names.begin(), for(auto& dns_name : dns_names) {
eoi = dns_names.end(); i != eoi; ++i) { cert_lookup_tree_add_cert(lt, ssl_ctx, dns_name.c_str(), dns_name.size());
cert_lookup_tree_add_cert(lt, ssl_ctx, (*i).c_str(), (*i).size());
} }
cert_lookup_tree_add_cert(lt, ssl_ctx, common_name.c_str(), cert_lookup_tree_add_cert(lt, ssl_ctx, common_name.c_str(),
common_name.size()); common_name.size());