You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2020/06/25 00:40:38 UTC

[trafficserver] branch master updated: Remove dup code in QUICMultiCertConfigLoader (#6942)

This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new dc662cb  Remove dup code in QUICMultiCertConfigLoader (#6942)
dc662cb is described below

commit dc662cb15d838f65b959746a597fffcaad2b0e59
Author: Masakazu Kitajo <ma...@apache.org>
AuthorDate: Thu Jun 25 09:40:30 2020 +0900

    Remove dup code in QUICMultiCertConfigLoader (#6942)
    
    The only difference between SSLMultiCertConfigLoader::_store_ssl_ctx and
    QUICMultiCertConfigLoader::_store_ssl_ctx was whether it says "QUIC" on log
    outputs.
    
    This commit removes the long dup code and introduces _debug_tag() so that
    derived classes can override the debug tag.
---
 iocore/net/P_SSLUtils.h                 |  3 +-
 iocore/net/QUICMultiCertConfigLoader.cc | 63 ++++-----------------------------
 iocore/net/QUICMultiCertConfigLoader.h  |  2 +-
 iocore/net/SSLUtils.cc                  | 10 ++++--
 4 files changed, 17 insertions(+), 61 deletions(-)

diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index ac43cf2..5f0e402 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -89,7 +89,8 @@ protected:
                              std::set<std::string> &names);
 
 private:
-  virtual bool _store_ssl_ctx(SSLCertLookup *lookup, shared_SSLMultiCertConfigParams ssl_multi_cert_params);
+  virtual const char *_debug_tag() const;
+  bool _store_ssl_ctx(SSLCertLookup *lookup, shared_SSLMultiCertConfigParams ssl_multi_cert_params);
   virtual void _set_handshake_callbacks(SSL_CTX *ctx);
 };
 
diff --git a/iocore/net/QUICMultiCertConfigLoader.cc b/iocore/net/QUICMultiCertConfigLoader.cc
index cf9c74f..e2285f2 100644
--- a/iocore/net/QUICMultiCertConfigLoader.cc
+++ b/iocore/net/QUICMultiCertConfigLoader.cc
@@ -164,63 +164,6 @@ fail:
   return nullptr;
 }
 
-bool
-QUICMultiCertConfigLoader::_store_ssl_ctx(SSLCertLookup *lookup, const shared_SSLMultiCertConfigParams multi_cert_params)
-{
-  bool retval = true;
-  std::vector<X509 *> cert_list;
-  SSLMultiCertConfigLoader::CertLoadData data;
-  std::set<std::string> common_names;
-  std::unordered_map<int, std::set<std::string>> unique_names;
-  const SSLConfigParams *params = this->_params;
-  this->load_certs_and_cross_reference_names(cert_list, data, params, multi_cert_params.get(), common_names, unique_names);
-
-  for (size_t i = 0; i < cert_list.size(); i++) {
-    const char *current_cert_name = data.cert_names_list[i].c_str();
-    if (0 > SSLMultiCertConfigLoader::check_server_cert_now(cert_list[i], current_cert_name)) {
-      /* At this point, we know cert is bad, and we've already printed a
-         descriptive reason as to why cert is bad to the log file */
-      QUICConfDebug("Marking certificate as NOT VALID: %s", current_cert_name);
-      lookup->is_valid = false;
-    }
-  }
-
-  shared_SSL_CTX ctx(this->init_server_ssl_ctx(data, multi_cert_params.get(), common_names), SSL_CTX_free);
-
-  shared_ssl_ticket_key_block keyblock = nullptr;
-
-  if (!ctx || !multi_cert_params || !this->_store_single_ssl_ctx(lookup, multi_cert_params, ctx, common_names)) {
-    retval = false;
-    std::string names;
-    for (auto name : data.cert_names_list) {
-      names.append(name);
-      names.append(" ");
-    }
-    Warning("QUIC: Failed to insert SSL_CTX for certificate %s entries for names already made", names.c_str());
-  }
-
-  for (auto iter = unique_names.begin(); retval && iter != unique_names.end(); ++iter) {
-    size_t i = iter->first;
-
-    SSLMultiCertConfigLoader::CertLoadData single_data;
-    single_data.cert_names_list.push_back(data.cert_names_list[i]);
-    single_data.key_list.push_back(i < data.key_list.size() ? data.key_list[i] : "");
-    single_data.ca_list.push_back(i < data.ca_list.size() ? data.ca_list[i] : "");
-    single_data.ocsp_list.push_back(i < data.ocsp_list.size() ? data.ocsp_list[i] : "");
-
-    shared_SSL_CTX unique_ctx(this->init_server_ssl_ctx(single_data, multi_cert_params.get(), iter->second), SSL_CTX_free);
-    if (!unique_ctx || !this->_store_single_ssl_ctx(lookup, multi_cert_params, unique_ctx, iter->second)) {
-      retval = false;
-    }
-  }
-
-  for (auto &i : cert_list) {
-    X509_free(i);
-  }
-
-  return retval;
-}
-
 void
 QUICMultiCertConfigLoader::_set_handshake_callbacks(SSL_CTX *ssl_ctx)
 {
@@ -303,3 +246,9 @@ QUICMultiCertConfigLoader::ssl_cert_cb(SSL *ssl, void * /*arg*/)
 
   return 1;
 }
+
+const char *
+QUICMultiCertConfigLoader::_debug_tag() const
+{
+  return "quic";
+}
diff --git a/iocore/net/QUICMultiCertConfigLoader.h b/iocore/net/QUICMultiCertConfigLoader.h
index 796c083..01f8e0b 100644
--- a/iocore/net/QUICMultiCertConfigLoader.h
+++ b/iocore/net/QUICMultiCertConfigLoader.h
@@ -51,7 +51,7 @@ public:
                                const SSLMultiCertConfigParams *sslMultCertSettings, std::set<std::string> &names) override;
 
 private:
-  bool _store_ssl_ctx(SSLCertLookup *lookup, shared_SSLMultiCertConfigParams ssl_multi_cert_params) override;
+  const char *_debug_tag() const override;
   virtual void _set_handshake_callbacks(SSL_CTX *ssl_ctx) override;
   static int ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in,
                                       unsigned inlen, void *);
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 16cc6c5..db0fea4 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1406,7 +1406,7 @@ SSLMultiCertConfigLoader::_store_ssl_ctx(SSLCertLookup *lookup, const shared_SSL
     if (0 > SSLMultiCertConfigLoader::check_server_cert_now(cert, current_cert_name)) {
       /* At this point, we know cert is bad, and we've already printed a
          descriptive reason as to why cert is bad to the log file */
-      Debug("ssl", "Marking certificate as NOT VALID: %s", current_cert_name);
+      Debug(this->_debug_tag(), "Marking certificate as NOT VALID: %s", current_cert_name);
       lookup->is_valid = false;
     }
     i++;
@@ -1421,7 +1421,7 @@ SSLMultiCertConfigLoader::_store_ssl_ctx(SSLCertLookup *lookup, const shared_SSL
       names.append(name);
       names.append(" ");
     }
-    Warning("Failed to insert SSL_CTX for certificate %s entries for names already made", names.c_str());
+    Warning("(%s) Failed to insert SSL_CTX for certificate %s entries for names already made", this->_debug_tag(), names.c_str());
   }
 
   for (auto iter = unique_names.begin(); retval && iter != unique_names.end(); ++iter) {
@@ -2238,6 +2238,12 @@ fail:
   return result;
 }
 
+const char *
+SSLMultiCertConfigLoader::_debug_tag() const
+{
+  return "ssl";
+}
+
 /**
    Clear password in SSL_CTX
    @static