You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2012/02/19 17:47:50 UTC
[3/5] git commit: TS-841: Sprinkle some const pixie dust on the SSL
classes
TS-841: Sprinkle some const pixie dust on the SSL classes
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/89e24d7c
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/89e24d7c
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/89e24d7c
Branch: refs/heads/master
Commit: 89e24d7ce521c0f43607f72a82319557ff2a35e7
Parents: 59bf86f
Author: James Peach <jp...@apache.org>
Authored: Wed Feb 8 21:29:11 2012 -0800
Committer: James Peach <jp...@apache.org>
Committed: Sun Feb 19 08:46:08 2012 -0800
----------------------------------------------------------------------
iocore/net/P_SSLCertLookup.h | 13 +++++++++----
iocore/net/P_SSLNetProcessor.h | 14 ++++++++------
iocore/net/SSLCertLookup.cc | 20 +++++++++-----------
iocore/net/SSLNetProcessor.cc | 23 ++++++++---------------
iocore/net/SSLNetVConnection.cc | 2 +-
5 files changed, 35 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/89e24d7c/iocore/net/P_SSLCertLookup.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLCertLookup.h b/iocore/net/P_SSLCertLookup.h
index f547d7b..c9ea033 100644
--- a/iocore/net/P_SSLCertLookup.h
+++ b/iocore/net/P_SSLCertLookup.h
@@ -29,17 +29,22 @@
class SSLCertLookup
{
bool buildTable();
- const char *extractIPAndCert(matcher_line * line_info, char **addr, char **cert, char **ca, char **priKey);
- int addInfoToHash(char *strAddr, char *cert, char *ca, char *serverPrivateKey);
+ const char *extractIPAndCert(
+ matcher_line * line_info, char **addr, char **cert, char **ca, char **priKey) const;
+ bool addInfoToHash(
+ const char *strAddr, const char *cert, const char *ca, const char *serverPrivateKey) const;
InkHashTable *SSLCertLookupHashTable;
char config_file_path[PATH_NAME_MAX];
SslConfigParams *param;
+ bool multipleCerts;
public:
- bool multipleCerts;
+ bool hasMultipleCerts() const { return multipleCerts; }
+
void init(SslConfigParams * param);
- SSL_CTX *findInfoInHash(char *strAddr);
+ SSL_CTX *findInfoInHash(char *strAddr) const;
+
SSLCertLookup();
~SSLCertLookup();
};
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/89e24d7c/iocore/net/P_SSLNetProcessor.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLNetProcessor.h b/iocore/net/P_SSLNetProcessor.h
index 4ac07b6..a3156a3 100644
--- a/iocore/net/P_SSLNetProcessor.h
+++ b/iocore/net/P_SSLNetProcessor.h
@@ -62,10 +62,13 @@ public:
void cleanup(void);
int reconfigure();
- int initSSL(SslConfigParams * param);
- int initSSLClient(SslConfigParams * param);
- int initSSLServerCTX(SslConfigParams * param,
- SSL_CTX * ctx, char *serverCertPtr, char *serverCaPtr, char *serverKeyPtr, bool defaultEnabled);
+ int initSSL(const SslConfigParams * param);
+ int initSSLClient(const SslConfigParams * param);
+
+ int initSSLServerCTX(SSL_CTX * ctx,
+ const SslConfigParams * param,
+ const char *serverCertPtr, const char *serverCaPtr,
+ const char *serverKeyPtr, bool defaultEnabled);
SSL_CTX *getSSL_CTX(void) const {return ctx; }
SSL_CTX *getClientSSL_CTX(void) const { return client_ctx; }
@@ -73,11 +76,10 @@ public:
static void logSSLError(const char *errStr = "", int critical = 1);
SSLNetProcessor()
- : verify_depth(0), ctx(NULL), client_ctx(NULL), sslMutexArray(NULL)
+ : ctx(NULL), client_ctx(NULL), sslMutexArray(NULL)
{ };
virtual ~SSLNetProcessor();
- int verify_depth;
SSL_CTX *ctx;
SSL_CTX *client_ctx;
ProxyMutex **sslMutexArray;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/89e24d7c/iocore/net/SSLCertLookup.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc
index 8d95cf1..6da48cc 100644
--- a/iocore/net/SSLCertLookup.cc
+++ b/iocore/net/SSLCertLookup.cc
@@ -147,7 +147,7 @@ SSLCertLookup::buildTable()
}
const char *
-SSLCertLookup::extractIPAndCert(matcher_line * line_info, char **addr, char **cert, char **ca, char **priKey)
+SSLCertLookup::extractIPAndCert(matcher_line * line_info, char **addr, char **cert, char **ca, char **priKey) const
{
// ip_addr_t testAddr;
char *label;
@@ -206,31 +206,29 @@ SSLCertLookup::extractIPAndCert(matcher_line * line_info, char **addr, char **ce
return NULL;
}
-int
-SSLCertLookup::addInfoToHash(char *strAddr, char *cert, char *caCert, char *serverPrivateKey)
+bool
+SSLCertLookup::addInfoToHash(
+ const char *strAddr, const char *cert,
+ const char *caCert, const char *serverPrivateKey) const
{
-
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) // openssl returns a const SSL_METHOD now
const SSL_METHOD *meth = NULL;
-#else
- SSL_METHOD *meth = NULL;
-#endif
+
meth = SSLv23_server_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
if (!ctx) {
- ssl_NetProcessor.logSSLError("Cannot create new server contex.");
+ SSLNetProcessor::logSSLError("Cannot create new server contex.");
return (false);
}
// if (serverPrivateKey == NULL)
// serverPrivateKey = cert;
- ssl_NetProcessor.initSSLServerCTX(param, ctx, cert, caCert, serverPrivateKey, false);
+ ssl_NetProcessor.initSSLServerCTX(ctx, param, cert, caCert, serverPrivateKey, false);
ink_hash_table_insert(SSLCertLookupHashTable, strAddr, (void *) ctx);
return (true);
}
SSL_CTX *
-SSLCertLookup::findInfoInHash(char *strAddr)
+SSLCertLookup::findInfoInHash(char *strAddr) const
{
InkHashTableValue hash_value;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/89e24d7c/iocore/net/SSLNetProcessor.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index c61cfc8..826cf25 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -242,13 +242,9 @@ SSLNetProcessor::logSSLError(const char *errStr, int critical)
}
int
-SSLNetProcessor::initSSL(SslConfigParams * param)
+SSLNetProcessor::initSSL(const SslConfigParams * param)
{
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) // openssl returns a const SSL_METHOD now
const SSL_METHOD *meth = NULL;
-#else
- SSL_METHOD *meth = NULL;
-#endif
// Note that we do not call RAND_seed() explicitly here, we depend on OpenSSL
// to do the seeding of the PRNG for us. This is the case for all platforms that
// has /dev/urandom for example.
@@ -260,12 +256,13 @@ SSLNetProcessor::initSSL(SslConfigParams * param)
return (-1);
}
- return (initSSLServerCTX(param, ctx, param->serverCertPath, param->serverCertChainPath, param->serverKeyPath, true));
+ return initSSLServerCTX(ctx, param, param->serverCertPath, param->serverCertChainPath, param->serverKeyPath, true);
}
int
-SSLNetProcessor::initSSLServerCTX(SslConfigParams * param, SSL_CTX * lCtx,
- char *serverCertPtr, char *serverCaCertPtr, char *serverKeyPtr, bool defaultEnabled)
+SSLNetProcessor::initSSLServerCTX(SSL_CTX * lCtx, const SslConfigParams * param,
+ const char *serverCertPtr, const char *serverCaCertPtr,
+ const char *serverKeyPtr, bool defaultEnabled)
{
int session_id_context;
int server_verify_client;
@@ -285,7 +282,7 @@ SSLNetProcessor::initSSLServerCTX(SslConfigParams * param, SSL_CTX * lCtx,
}
//might want to make configurable at some point.
- verify_depth = param->verify_depth;
+ int verify_depth = param->verify_depth;
SSL_CTX_set_quiet_shutdown(lCtx, 1);
if (defaultEnabled) {
@@ -408,13 +405,9 @@ SSLNetProcessor::initSSLServerCTX(SslConfigParams * param, SSL_CTX * lCtx,
}
int
-SSLNetProcessor::initSSLClient(SslConfigParams * param)
+SSLNetProcessor::initSSLClient(const SslConfigParams * param)
{
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) // openssl returns a const SSL_METHOD now
const SSL_METHOD *meth = NULL;
-#else
- SSL_METHOD *meth = NULL;
-#endif
int client_verify_server;
char *clientKeyPtr = NULL;
@@ -428,7 +421,7 @@ SSLNetProcessor::initSSLClient(SslConfigParams * param)
// disable selected protocols
SSL_CTX_set_options(client_ctx, param->ssl_ctx_options);
- verify_depth = param->client_verify_depth;
+ int verify_depth = param->client_verify_depth;
if (!client_ctx) {
logSSLError("Cannot create new client contex.");
return (-1);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/89e24d7c/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 60a67cd..2955733 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -474,7 +474,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
if (event == SSL_EVENT_SERVER) {
if (ssl == NULL) {
- if (sslCertLookup.multipleCerts) {
+ if (sslCertLookup.hasMultipleCerts()) {
char buff[INET6_ADDRSTRLEN];
safe_getsockname(get_socket(), &ip.sa, &namelen);
ink_inet_ntop(&ip.sa, buff, sizeof(buff));