Repository: trafficserver Updated Branches: refs/heads/master dc8a926a4 -> c26e015e4
Add appropriate licensing and code indentation Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/c26e015e Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/c26e015e Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/c26e015e Branch: refs/heads/master Commit: c26e015e472f3b0dbd211b8177d8d74b40a63466 Parents: dc8a926 Author: Leif Hedstrom <[email protected]> Authored: Thu Sep 25 14:31:38 2014 -0600 Committer: Leif Hedstrom <[email protected]> Committed: Thu Sep 25 14:31:44 2014 -0600 ---------------------------------------------------------------------- plugins/experimental/ssl_cert_loader/ats-util.h | 39 +++- .../experimental/ssl_cert_loader/domain-tree.cc | 86 +++++--- .../experimental/ssl_cert_loader/domain-tree.h | 69 +++++-- .../ssl_cert_loader/ssl-cert-loader.cc | 196 +++++++++++-------- .../ssl_cert_loader/ssl_cert_loader.cfg | 17 +- .../experimental/ssl_cert_loader/ssl_start.cfg | 16 ++ 6 files changed, 284 insertions(+), 139 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c26e015e/plugins/experimental/ssl_cert_loader/ats-util.h ---------------------------------------------------------------------- diff --git a/plugins/experimental/ssl_cert_loader/ats-util.h b/plugins/experimental/ssl_cert_loader/ats-util.h index 1164a20..0ee4a8d 100644 --- a/plugins/experimental/ssl_cert_loader/ats-util.h +++ b/plugins/experimental/ssl_cert_loader/ats-util.h @@ -1,7 +1,31 @@ -# if !defined(_ats_util_h) -# define _ats_util_h +/** @file -# if defined(__cplusplus) + Include file for ... + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/ + +#if !defined(_ats_util_h) +#define _ats_util_h + +#if defined(__cplusplus) /** Set data to zero. Calls @c memset on @a t with a value of zero and a length of @c @@ -29,12 +53,13 @@ @endcode */ -template < typename T > inline void +template <typename T> inline void ink_zero( T& t ///< Object to zero. - ) { + ) +{ memset(&t, 0, sizeof(t)); } -# endif /* __cplusplus */ +#endif /* __cplusplus */ -# endif // ats-util.h +#endif // ats-util.h http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c26e015e/plugins/experimental/ssl_cert_loader/domain-tree.cc ---------------------------------------------------------------------- diff --git a/plugins/experimental/ssl_cert_loader/domain-tree.cc b/plugins/experimental/ssl_cert_loader/domain-tree.cc index 3da87dc..c1f51c9 100644 --- a/plugins/experimental/ssl_cert_loader/domain-tree.cc +++ b/plugins/experimental/ssl_cert_loader/domain-tree.cc @@ -1,41 +1,61 @@ /** @file SSL dynamic certificate loader Loads certificates into a hash table as they are requested -*/ -# include <stdio.h> -# include <memory.h> -# include <inttypes.h> -# include "domain-tree.h" + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ +#include <stdio.h> +#include <memory.h> +#include <inttypes.h> +#include "domain-tree.h" // return true if comparable. Return type of compare in relative parameter // 0 if eq. < 0 if node key is broader. > 0 if parameter key is broader bool -DomainNameTree::DomainNameNode::compare(std::string key, int &relative) { +DomainNameTree::DomainNameNode::compare(std::string key, int &relative) +{ size_t star_loc = key.find("*"); bool is_wild = false; + if (star_loc != std::string::npos) { star_loc++; is_wild = true; key = key.substr(star_loc); } + return this->prunedCompare(key, relative, is_wild); } bool -DomainNameTree::DomainNameNode::prunedCompare(std::string key, int &relative, bool is_wild) { +DomainNameTree::DomainNameNode::prunedCompare(std::string key, int &relative, bool is_wild) +{ if (key == this->key) { relative = 0; return true; - } - else { + } else { if (this->is_wild) { size_t loc = key.find(this->key); + if (this->key == "") { // Match all relative = -1; return true; - } - else if (loc != std::string::npos) { + } else if (loc != std::string::npos) { // node key is in search key if ((key.length() - this->key.length()) == loc) { // And node key is at the end of search key @@ -48,9 +68,9 @@ DomainNameTree::DomainNameNode::prunedCompare(std::string key, int &relative, bo if (key == "") { // Match all relative = 1; return true; - } - else { + } else { size_t loc = this->key.find(key); + if (loc != std::string::npos) { if ((this->key.length() - key.length()) == loc) { relative = 1; @@ -60,14 +80,17 @@ DomainNameTree::DomainNameNode::prunedCompare(std::string key, int &relative, bo } } } + return false; } -DomainNameTree::DomainNameNode *DomainNameTree::find(std::string key, bool best_match) { +DomainNameTree::DomainNameNode *DomainNameTree::find(std::string key, bool best_match) +{ DomainNameNode *retval = NULL; DomainNameNode *first = NULL; size_t star_loc = key.find("*"); bool is_wild = false; + if (star_loc != std::string::npos) { key = key.substr(star_loc+1); is_wild = true; @@ -76,9 +99,11 @@ DomainNameTree::DomainNameNode *DomainNameTree::find(std::string key, bool best_ bool set_iter = false; std::deque<DomainNameNode *>::iterator sibPtr; DomainNameNode *current_node = root; + while (current_node != NULL) { bool partial_match = false; int relative; + if (current_node->prunedCompare(key, relative, is_wild)) { if (relative == 0) { retval = current_node; @@ -86,8 +111,7 @@ DomainNameTree::DomainNameNode *DomainNameTree::find(std::string key, bool best_ first = retval; } break; - } - else if (relative < 0) { + } else if (relative < 0) { retval = current_node; partial_match = true; if (NULL == first || retval->order < first->order) { @@ -101,29 +125,31 @@ DomainNameTree::DomainNameNode *DomainNameTree::find(std::string key, bool best_ set_iter = true; if (sibPtr == current_node->children.end()) break; // We are done current_node = *(sibPtr++); - } - else { // No match here. Look at next sibling? + } else { // No match here. Look at next sibling? // Is there another sibling to look at? if (set_iter && sibPtr != current_node->children.end()) { current_node = *(sibPtr++); - } - else { // No more siblings to check, give it up. + } else { // No more siblings to check, give it up. break; } } } + return best_match ? retval : first; } DomainNameTree::DomainNameNode * -DomainNameTree::insert(std::string key, void *payload, int order) { +DomainNameTree::insert(std::string key, void *payload, int order) +{ TSMutexLock(this->tree_mutex); DomainNameNode *retval = NULL; DomainNameNode *node = this->findBestMatch(key); int relative; + if (node->compare(key, relative)) { size_t star_loc = key.find("*"); bool is_wild = false; + if (star_loc != std::string::npos) { star_loc++; key = key.substr(star_loc); @@ -132,27 +158,28 @@ DomainNameTree::insert(std::string key, void *payload, int order) { if (relative < 0) { // Make a new node that is a child of node DomainNameNode *new_node = new DomainNameNode(key, payload, order, is_wild); + new_node->parent = node; node->children.push_back(new_node); retval = new_node; - } - else if (relative > 0) { + } else if (relative > 0) { // Insert new node as parent of node DomainNameNode *new_node = new DomainNameNode(key, payload, order, is_wild); + new_node->parent = node->parent; new_node->children.push_back(node); + // Replace the node with new_node in the child list of the parent; - std::deque<DomainNameNode *>::iterator iter = node->parent->children.begin(); - for (; iter != node->parent->children.end(); ++iter) { + for (std::deque<DomainNameNode *>::iterator iter = node->parent->children.begin(); + iter != node->parent->children.end(); ++iter) { if (*(iter) == node) { *(iter) = new_node; } } retval = new_node; - } - // Will not replace in the equal case - // Unless this is the root node - else { + } else { + // Will not replace in the equal case + // Unless this is the root node if (node->key == "" && node->order == 0x7fffffff){ node->key = key; node->payload = payload; @@ -162,6 +189,7 @@ DomainNameTree::insert(std::string key, void *payload, int order) { } } TSMutexUnlock(this->tree_mutex); + return retval; } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c26e015e/plugins/experimental/ssl_cert_loader/domain-tree.h ---------------------------------------------------------------------- diff --git a/plugins/experimental/ssl_cert_loader/domain-tree.h b/plugins/experimental/ssl_cert_loader/domain-tree.h index 6f524d2..0efcb24 100644 --- a/plugins/experimental/ssl_cert_loader/domain-tree.h +++ b/plugins/experimental/ssl_cert_loader/domain-tree.h @@ -1,25 +1,54 @@ -# include <string> -# include <deque> -# include <ts/ts.h> +/** @file + + Include file for ... + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +*/ +#include <string> +#include <deque> +#include <ts/ts.h> class DomainNameTree { public: class DomainNameNode { public: - DomainNameNode() : order(-1), payload(NULL), parent(NULL), is_wild(false) - { - } - DomainNameNode(std::string key, void *payload, int order, bool is_wild) : key(key), order(order), payload(payload), parent(NULL), is_wild(is_wild) - { - } + DomainNameNode() + : order(-1), payload(NULL), parent(NULL), is_wild(false) + { } + + DomainNameNode(std::string key, void *payload, int order, bool is_wild) + : key(key), order(order), payload(payload), parent(NULL), is_wild(is_wild) + { } + DomainNameNode *match(std::string value); - ~DomainNameNode() { + + ~DomainNameNode() + { std::deque<DomainNameNode *>::iterator iter = children.begin(); + for (; iter != children.end(); iter++) { delete *iter; } } + // return true if comparable. Return type of compare in relative parameter // 0 if eq. < 0 if node key is broader. > 0 if parameter key is broader bool compare(std::string key, int &relative); @@ -31,31 +60,38 @@ public: std::deque<DomainNameNode *> children; DomainNameNode *parent; bool is_wild; - private: }; - DomainNameTree() { + DomainNameTree() + { root = new DomainNameNode(); root->key = ""; root->order = 0x7FFFFFFF; root->is_wild = true; tree_mutex = TSMutexCreate(); } - ~DomainNameTree() { - if (root != NULL) { delete root; } + + ~DomainNameTree() + { + delete root; } - DomainNameNode *findBestMatch(std::string key) { + + DomainNameNode *findBestMatch(std::string key) + { TSMutexLock(this->tree_mutex); DomainNameNode *retval = this->find(key, true); TSMutexUnlock(this->tree_mutex); return retval; } - DomainNameNode *findFirstMatch(std::string key) { + + DomainNameNode *findFirstMatch(std::string key) + { TSMutexLock(this->tree_mutex); DomainNameNode *retval = this->find(key, false); TSMutexUnlock(this->tree_mutex); return retval; } + DomainNameNode *find(std::string key, bool best_match); DomainNameNode *insert(std::string key, void *payload, int order); @@ -63,4 +99,3 @@ private: DomainNameNode *root; TSMutex tree_mutex; }; - http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c26e015e/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc ---------------------------------------------------------------------- diff --git a/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc b/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc index a211d7c..03c5d3d 100644 --- a/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc +++ b/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc @@ -1,28 +1,47 @@ -/** @file +/** @file + SSL dynamic certificate loader Loads certificates into a hash table as they are requested + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. */ -# include <stdio.h> -# include <memory.h> -# include <inttypes.h> -# include <ts/ts.h> -# include <ink_config.h> -# include <tsconfig/TsValue.h> -# include <openssl/ssl.h> -# include <openssl/x509.h> -# include <openssl/x509v3.h> -# include <ts/ink_inet.h> -# include <ts/IpMap.h> -# include "domain-tree.h" +#include <stdio.h> +#include <memory.h> +#include <inttypes.h> +#include <ts/ts.h> +#include <ink_config.h> +#include <tsconfig/TsValue.h> +#include <openssl/ssl.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <ts/ink_inet.h> +#include <ts/IpMap.h> +#include "domain-tree.h" using ts::config::Configuration; using ts::config::Value; -# define PN "ssl-cert-loader" -# define PCP "[" PN " Plugin] " +#define PN "ssl-cert-loader" +#define PCP "[" PN " Plugin] " -# if TS_USE_TLS_SNI +#if TS_USE_TLS_SNI namespace { @@ -34,12 +53,15 @@ public: class SslEntry { public: - SslEntry() : ctx(NULL), op(TS_SSL_HOOK_OP_DEFAULT) + SslEntry() + : ctx(NULL), op(TS_SSL_HOOK_OP_DEFAULT) { this->mutex = TSMutexCreate(); } - ~SslEntry() { - } + + ~SslEntry() + { } + SSL_CTX *ctx; TSSslVConnOp op; // If the CTX is not already created, use these @@ -54,21 +76,22 @@ std::string ConfigPath; typedef std::pair<IpAddr, IpAddr> IpRange; typedef std::deque<IpRange> IpRangeQueue; -Configuration Config; // global configuration +Configuration Config; // global configuration void -Parse_Addr_String(ts::ConstBuffer const &text, IpRange &range) { +Parse_Addr_String(ts::ConstBuffer const &text, IpRange &range) +{ IpAddr newAddr; std::string textstr(text._ptr, text._size); // Is there a hyphen? size_t hyphen_pos = textstr.find("-"); + if (hyphen_pos != std::string::npos) { std::string addr1 = textstr.substr(0, hyphen_pos); std::string addr2 = textstr.substr(hyphen_pos+1); range.first.load(ts::ConstBuffer(addr1.c_str(), addr1.length())); range.second.load(ts::ConstBuffer(addr2.c_str(), addr2.length())); - } - else { // Assume it is a single address + } else { // Assume it is a single address newAddr.load(text); range.first = newAddr; range.second = newAddr; @@ -76,10 +99,13 @@ Parse_Addr_String(ts::ConstBuffer const &text, IpRange &range) { } int -Load_Config_File() { +Load_Config_File() +{ ts::Rv<Configuration> cv = Configuration::loadFromPath(ConfigPath.c_str()); + if (!cv.isOK()) { char error_buffer[1024]; + cv._errata.write(error_buffer, sizeof(error_buffer), 0, 0, 0, ""); TSDebug("skh-cert","Failed to parse %s as TSConfig format", ConfigPath.c_str()); TSError(PCP "Failed to parse %s as TSConfig format", ConfigPath.c_str()); @@ -87,6 +113,7 @@ Load_Config_File() { return -1; } Config = cv; + return 1; } @@ -98,19 +125,19 @@ struct ParsedSslValues { IpRangeQueue server_ips; }; -void -Parse_Config_Rules(Value &parent, ParsedSslValues &orig_values); + +void Parse_Config_Rules(Value &parent, ParsedSslValues &orig_values); int -Load_Configuration_Args(int argc, const char *argv[]) { -ts::ConstBuffer text; +Load_Configuration_Args(int argc, const char *argv[]) +{ + ts::ConstBuffer text; std::string s; // temp holder. TSMgmtString config_path = NULL; - // get the path to the config file if one was specified static char const * const CONFIG_ARG = "--config="; - int arg_idx; - for (arg_idx = 0; arg_idx < argc; arg_idx++) { + + for (int arg_idx = 0; arg_idx < argc; arg_idx++) { if (0 == memcmp(argv[arg_idx], CONFIG_ARG, strlen(CONFIG_ARG))) { config_path = TSstrdup(argv[arg_idx] + strlen(CONFIG_ARG)); TSDebug(PN, "Found config path %s", config_path); @@ -118,6 +145,7 @@ ts::ConstBuffer text; } if (NULL == config_path) { static char const * const DEFAULT_CONFIG_PATH = "ssl_start.cfg"; + config_path = TSstrdup(DEFAULT_CONFIG_PATH); TSDebug(PN, "No config path set in arguments, using default: %s", DEFAULT_CONFIG_PATH); } @@ -132,12 +160,15 @@ ts::ConstBuffer text; TSDebug("skh-cert", "Load from %s", ConfigPath.c_str()); // free up the path TSfree(config_path); + return 0; } int -Load_Configuration() { +Load_Configuration() +{ int ret = Load_Config_File(); + if (ret != 0) { TSError(PCP "Failed to load the config file, check debug output for errata"); } @@ -153,31 +184,15 @@ Load_Configuration() { Parse_Config_Rules(val, values); } - // Test values - DomainNameTree::DomainNameNode *node = Lookup.tree.findFirstMatch("calendar.google.com"); - TSDebug("skh-cert", "Found node with key=%s and order=%d", node->key.c_str(), node->order); - node = Lookup.tree.findFirstMatch("www.buseyil.com"); - TSDebug("skh-cert", "Found node with key=%s and order=%d", node->key.c_str(), node->order); - - IpAddr key_ip; - key_ip.load(ts::ConstBuffer("107.23.60.186", strlen("107.23.60.186"))); - IpEndpoint key_endpoint; - key_endpoint.assign(key_ip); - void *payload; - if (Lookup.ipmap.contains(&key_endpoint, &payload)) { - TSDebug("skh-cert", "Found %p for 107.23.60.186", payload); - } - else { - TSDebug("skh-cert", "Found nothing for 107.23.60.186"); - } - return 0; } SSL_CTX * -Load_Certificate(SslEntry const *entry, std::deque<std::string> &names) { +Load_Certificate(SslEntry const *entry, std::deque<std::string> &names) +{ SSL_CTX *retval = SSL_CTX_new(SSLv23_client_method()); X509* cert = NULL; + if (entry->certFileName.length() > 0) { // Must load the cert file to fetch the names out later BIO *cert_bio = BIO_new_file(entry->certFileName.c_str(), "r"); @@ -202,6 +217,7 @@ Load_Certificate(SslEntry const *entry, std::deque<std::string> &names) { if (cert != NULL) { X509_NAME *name = X509_get_subject_name(cert); char subjectCn[256]; + if (X509_NAME_get_text_by_NID(name, NID_commonName, subjectCn, sizeof(subjectCn)) >= 0) { std::string tmp_name(subjectCn); names.push_back(tmp_name); @@ -228,21 +244,23 @@ Load_Certificate(SslEntry const *entry, std::deque<std::string> &names) { return retval; } + /* * Load the config information about the terminal config. * Only load the certificate if no server name or ip is specified */ SslEntry * -Load_Certificate_Entry(ParsedSslValues const &values, std::deque<std::string> &names) { +Load_Certificate_Entry(ParsedSslValues const &values, std::deque<std::string> &names) +{ SslEntry *retval = NULL; std::string cert_file_path; std::string priv_file_path; + retval = new SslEntry(); if (values.server_cert_name.length() > 0) { if (values.server_cert_name[0] != '/') { cert_file_path = std::string(TSConfigDirGet()) + '/' + values.server_cert_name; - } - else { + } else { cert_file_path = values.server_cert_name; } retval->certFileName = cert_file_path; @@ -250,8 +268,7 @@ Load_Certificate_Entry(ParsedSslValues const &values, std::deque<std::string> &n if (values.server_priv_key_file.length() > 0) { if (values.server_priv_key_file[0] != '/') { priv_file_path = std::string(TSConfigDirGet()) + '/' + values.server_priv_key_file; - } - else { + } else { priv_file_path = values.server_priv_key_file; } retval->keyFileName = priv_file_path; @@ -264,26 +281,29 @@ Load_Certificate_Entry(ParsedSslValues const &values, std::deque<std::string> &n if (values.action.length() > 0) { if (values.action == "tunnel") { retval->op = TS_SSL_HOOK_OP_TUNNEL; - } - else if (values.action == "teriminate") { + } else if (values.action == "teriminate") { retval-> op = TS_SSL_HOOK_OP_TERMINATE; } } + return retval; } int Parse_order = 0; void -Parse_Config(Value &parent, ParsedSslValues &orig_values) { +Parse_Config(Value &parent, ParsedSslValues &orig_values) +{ ParsedSslValues cur_values(orig_values); Value val = parent.find("ssl-key-name"); + if (val.hasValue()) { cur_values.server_priv_key_file = std::string(val.getText()._ptr, val.getText()._size); } val = parent.find("server-ip"); if (val) { IpRange ipRange; + Parse_Addr_String(val.getText(), ipRange); cur_values.server_ips.push_back(ipRange); } @@ -303,8 +323,7 @@ Parse_Config(Value &parent, ParsedSslValues &orig_values) { val = parent.find("child-match"); if (val) { Parse_Config_Rules(val, cur_values); - } - else { // We are terminal, enter a match case + } else { // We are terminal, enter a match case TSDebug("skh-cert", "Terminal SSL Config: server_priv_key_file=%s server_name=%s server_cert_name=%s action=%s", cur_values.server_priv_key_file.c_str(), cur_values.server_name.c_str(), @@ -341,8 +360,10 @@ Parse_Config(Value &parent, ParsedSslValues &orig_values) { } void -Parse_Config_Rules(Value &parent, ParsedSslValues &orig_values) { +Parse_Config_Rules(Value &parent, ParsedSslValues &orig_values) +{ size_t i; + for (i = 0; i < parent.childCount(); i++) { Value child = parent[i]; Parse_Config(child, orig_values); @@ -350,13 +371,15 @@ Parse_Config_Rules(Value &parent, ParsedSslValues &orig_values) { } void * -Load_Certificate_Thread(void *arg) { +Load_Certificate_Thread(void *arg) +{ SslEntry *entry = reinterpret_cast<SslEntry*>(arg); TSMutexLock(entry->mutex); if (entry->ctx == NULL) { // Must load certificate std::deque<std::string> cert_names; + entry->ctx = Load_Certificate(entry, cert_names); while (entry->waitingVConns.begin() != entry->waitingVConns.end()) { TSVConn vc = entry->waitingVConns.back(); @@ -367,27 +390,29 @@ Load_Certificate_Thread(void *arg) { TSVConnReenable(vc); } TSMutexUnlock(entry->mutex); - size_t i; - for (i = 0; i < cert_names.size(); i++) { + for (size_t i = 0; i < cert_names.size(); i++) { Lookup.tree.insert(cert_names[i], entry, Parse_order++); } - } - else { + } else { TSMutexUnlock(entry->mutex); } + return (void *)1; } int -CB_Life_Cycle(TSCont , TSEvent , void *) { +CB_Life_Cycle(TSCont , TSEvent , void *) +{ // By now the SSL library should have been initialized, // We can safely parse the config file and load the ctx tables Load_Configuration(); + return TS_SUCCESS; } int -CB_Pre_Accept(TSCont /*contp*/, TSEvent event, void *edata) { +CB_Pre_Accept(TSCont /*contp*/, TSEvent event, void *edata) +{ TSVConn ssl_vc = reinterpret_cast<TSVConn>(edata); IpAddr ip(TSNetVConnLocalAddrGet(ssl_vc)); char buff[INET6_ADDRSTRLEN]; @@ -419,23 +444,20 @@ CB_Pre_Accept(TSCont /*contp*/, TSEvent event, void *edata) { TSVConnTunnel(ssl_vc); } TSMutexUnlock(entry->mutex); - } - else { + } else { if (entry->ctx == NULL) { if (entry->waitingVConns.begin() == entry->waitingVConns.end()) { entry->waitingVConns.push_back(ssl_vc); TSMutexUnlock(entry->mutex); TSThreadCreate(Load_Certificate_Thread, entry); - } - else { // Just add yourself to the queue + } else { // Just add yourself to the queue entry->waitingVConns.push_back(ssl_vc); TSMutexUnlock(entry->mutex); } // Return before we reenable return TS_SUCCESS; - } - else { // if (entry->ctx != NULL) { + } else { // if (entry->ctx != NULL) { SSL_set_SSL_CTX(ssl, entry->ctx); TSDebug("skh-cert", "Replace cert based on IP"); TSMutexUnlock(entry->mutex); @@ -445,15 +467,18 @@ CB_Pre_Accept(TSCont /*contp*/, TSEvent event, void *edata) { // All done, reactivate things TSVConnReenable(ssl_vc); + return TS_SUCCESS; } int -CB_servername(TSCont /*contp*/, TSEvent /*event*/, void *edata) { +CB_servername(TSCont /*contp*/, TSEvent /*event*/, void *edata) +{ TSVConn ssl_vc = reinterpret_cast<TSVConn>(edata); TSSslConnection sslobj = TSVConnSSLConnectionGet(ssl_vc); SSL *ssl = reinterpret_cast<SSL *>(sslobj); const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); + if (servername != NULL) { // Is there a certificated loaded up for this name DomainNameTree::DomainNameNode *node = Lookup.tree.findFirstMatch(servername); @@ -476,15 +501,13 @@ CB_servername(TSCont /*contp*/, TSEvent /*event*/, void *edata) { entry->waitingVConns.push_back(ssl_vc); TSMutexUnlock(entry->mutex); TSThreadCreate(Load_Certificate_Thread, entry); - } - else { // Just add yourself to the queue + } else { // Just add yourself to the queue entry->waitingVConns.push_back(ssl_vc); TSMutexUnlock(entry->mutex); } // Won't reenable until the certificate has been loaded return TS_SUCCESS; - } - else { //if (entry->ctx != NULL) { + } else { //if (entry->ctx != NULL) { SSL_set_SSL_CTX(ssl, entry->ctx); TSDebug("skh-cert", "Replace cert based on name %s", servername); } @@ -493,6 +516,7 @@ CB_servername(TSCont /*contp*/, TSEvent /*event*/, void *edata) { } // All done, reactivate things TSVConnReenable(ssl_vc); + return TS_SUCCESS; } @@ -500,7 +524,8 @@ CB_servername(TSCont /*contp*/, TSEvent /*event*/, void *edata) { // Called by ATS as our initialization point void -TSPluginInit(int argc, const char *argv[]) { +TSPluginInit(int argc, const char *argv[]) +{ bool success = false; TSPluginRegistrationInfo info; TSCont cb_pa = 0; // pre-accept callback continuation @@ -540,11 +565,12 @@ TSPluginInit(int argc, const char *argv[]) { return; } -# else // ! TS_USE_TLS_SNI +#else // ! TS_USE_TLS_SNI void -TSPluginInit(int, const char *[]) { - TSError(PCP "requires TLS SNI which is not available."); +TSPluginInit(int, const char *[]) +{ + TSError(PCP "requires TLS SNI which is not available."); } -# endif // TS_USE_TLS_SNI +#endif // TS_USE_TLS_SNI http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c26e015e/plugins/experimental/ssl_cert_loader/ssl_cert_loader.cfg ---------------------------------------------------------------------- diff --git a/plugins/experimental/ssl_cert_loader/ssl_cert_loader.cfg b/plugins/experimental/ssl_cert_loader/ssl_cert_loader.cfg index 542d83b..10bd37e 100644 --- a/plugins/experimental/ssl_cert_loader/ssl_cert_loader.cfg +++ b/plugins/experimental/ssl_cert_loader/ssl_cert_loader.cfg @@ -1,3 +1,19 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // Describe how proxy should deal with the handshake process of SSL // connections passing though. version = "0.1"; @@ -132,4 +148,3 @@ ssl-actions = ssl-key-name = "privkey.pem"; }; }; - http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c26e015e/plugins/experimental/ssl_cert_loader/ssl_start.cfg ---------------------------------------------------------------------- diff --git a/plugins/experimental/ssl_cert_loader/ssl_start.cfg b/plugins/experimental/ssl_cert_loader/ssl_start.cfg index daff753..b045302 100644 --- a/plugins/experimental/ssl_cert_loader/ssl_start.cfg +++ b/plugins/experimental/ssl_cert_loader/ssl_start.cfg @@ -1,3 +1,19 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // Describe how proxy should deal with the handshake process of SSL // connections passing though. version = "0.1"
