http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLCertLookup.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc index 84caa6e..28755ba 100644 --- a/iocore/net/SSLCertLookup.cc +++ b/iocore/net/SSLCertLookup.cc @@ -32,14 +32,10 @@ #include "Trie.h" #include "ts/TestBox.h" -struct SSLAddressLookupKey -{ - explicit - SSLAddressLookupKey(const IpEndpoint& ip) : sep(0) +struct SSLAddressLookupKey { + explicit SSLAddressLookupKey(const IpEndpoint &ip) : sep(0) { - static const char hextab[16] = { - '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' - }; + static const char hextab[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; int nbytes; uint16_t port = ntohs(ip.port()); @@ -51,73 +47,93 @@ struct SSLAddressLookupKey if (port) { sep = nbytes; key[nbytes++] = '.'; - key[nbytes++] = hextab[ (port >> 12) & 0x000F ]; - key[nbytes++] = hextab[ (port >> 8) & 0x000F ]; - key[nbytes++] = hextab[ (port >> 4) & 0x000F ]; - key[nbytes++] = hextab[ (port ) & 0x000F ]; + key[nbytes++] = hextab[(port >> 12) & 0x000F]; + key[nbytes++] = hextab[(port >> 8) & 0x000F]; + key[nbytes++] = hextab[(port >> 4) & 0x000F]; + key[nbytes++] = hextab[(port)&0x000F]; } key[nbytes++] = 0; } - const char * get() const { return key; } - void split() { key[sep] = '\0'; } - void unsplit() { key[sep] = '.'; } + const char * + get() const + { + return key; + } + void + split() + { + key[sep] = '\0'; + } + void + unsplit() + { + key[sep] = '.'; + } private: char key[(TS_IP6_SIZE * 2) /* hex addr */ + 1 /* dot */ + 4 /* port */ + 1 /* NULL */]; unsigned char sep; // offset of address/port separator }; -struct SSLContextStorage -{ +struct SSLContextStorage { public: SSLContextStorage(); ~SSLContextStorage(); /// Add a cert context to storage /// @return The @a host_store index or -1 on error. - int insert(const char * name, SSLCertContext const& cc); + int insert(const char *name, SSLCertContext const &cc); /// Add a cert context to storage. /// @a idx must be a value returned by a previous call to insert. /// This creates an alias, a different @a name referring to the same /// cert context. /// @return @a idx - int insert(const char * name, int idx); - SSLCertContext* lookup(const char * name) const; - unsigned count() const { return this->ctx_store.length(); } - SSLCertContext* get(unsigned i) const { return &this->ctx_store[i]; } + int insert(const char *name, int idx); + SSLCertContext *lookup(const char *name) const; + unsigned + count() const + { + return this->ctx_store.length(); + } + SSLCertContext * + get(unsigned i) const + { + return &this->ctx_store[i]; + } private: /** A struct that can be stored a @c Trie. It contains the index of the real certificate and the linkage required by @c Trie. */ - struct ContextRef - { - ContextRef(): idx(-1) {} + struct ContextRef { + ContextRef() : idx(-1) {} explicit ContextRef(int n) : idx(n) {} - void Print() const { Debug("ssl", "Item=%p SSL_CTX=#%d", this, idx); } - int idx; ///< Index in the context store. + void + Print() const + { + Debug("ssl", "Item=%p SSL_CTX=#%d", this, idx); + } + int idx; ///< Index in the context store. LINK(ContextRef, link); ///< Require by @c Trie }; /// Items tored by wildcard name - Trie<ContextRef> wildcards; + Trie<ContextRef> wildcards; /// Contexts stored by IP address or FQDN - InkHashTable * hostnames; + InkHashTable *hostnames; /// List for cleanup. /// Exactly one pointer to each SSL context is stored here. - Vec<SSLCertContext> ctx_store; + Vec<SSLCertContext> ctx_store; /// Add a context to the clean up list. /// @return The index of the added context. - int store(SSLCertContext const& cc); - + int store(SSLCertContext const &cc); }; -SSLCertLookup::SSLCertLookup() - : ssl_storage(new SSLContextStorage()), ssl_default(NULL), is_valid(true) +SSLCertLookup::SSLCertLookup() : ssl_storage(new SSLContextStorage()), ssl_default(NULL), is_valid(true) { } @@ -127,15 +143,15 @@ SSLCertLookup::~SSLCertLookup() } SSLCertContext * -SSLCertLookup::find(const char * address) const +SSLCertLookup::find(const char *address) const { return this->ssl_storage->lookup(address); } SSLCertContext * -SSLCertLookup::find(const IpEndpoint& address) const +SSLCertLookup::find(const IpEndpoint &address) const { - SSLCertContext * cc; + SSLCertContext *cc; SSLAddressLookupKey key(address); // First try the full address. @@ -159,7 +175,7 @@ SSLCertLookup::insert(const char *name, SSLCertContext const &cc) } int -SSLCertLookup::insert(const IpEndpoint& address, SSLCertContext const &cc) +SSLCertLookup::insert(const IpEndpoint &address, SSLCertContext const &cc) { SSLAddressLookupKey key(address); return this->ssl_storage->insert(key.get(), cc); @@ -177,18 +193,19 @@ SSLCertLookup::get(unsigned i) const return ssl_storage->get(i); } -struct ats_wildcard_matcher -{ - ats_wildcard_matcher() { +struct ats_wildcard_matcher { + ats_wildcard_matcher() + { if (regex.compile("^\\*\\.[^\\*.]+") != 0) { Fatal("failed to compile TLS wildcard matching regex"); } } - ~ats_wildcard_matcher() { - } + ~ats_wildcard_matcher() {} - bool match(const char * hostname) const { + bool + match(const char *hostname) const + { return regex.match(hostname) != -1; } @@ -197,10 +214,10 @@ private: }; static char * -reverse_dns_name(const char * hostname, char (&reversed)[TS_MAX_HOST_NAME_LEN+1]) +reverse_dns_name(const char *hostname, char(&reversed)[TS_MAX_HOST_NAME_LEN + 1]) { - char * ptr = reversed + sizeof(reversed); - const char * part = hostname; + char *ptr = reversed + sizeof(reversed); + const char *part = hostname; *(--ptr) = '\0'; // NUL-terminate @@ -227,13 +244,12 @@ reverse_dns_name(const char * hostname, char (&reversed)[TS_MAX_HOST_NAME_LEN+1] return ptr; } -SSLContextStorage::SSLContextStorage() - :wildcards(), hostnames(ink_hash_table_create(InkHashTableKeyType_String)) +SSLContextStorage::SSLContextStorage() : wildcards(), hostnames(ink_hash_table_create(InkHashTableKeyType_String)) { } bool -SSLCtxCompare(SSLCertContext const & cc1, SSLCertContext const & cc2) +SSLCtxCompare(SSLCertContext const &cc1, SSLCertContext const &cc2) { // Either they are both real ctx pointers and cc1 has the smaller pointer // Or only cc2 has a non-null pointer @@ -257,7 +273,7 @@ SSLContextStorage::~SSLContextStorage() } int -SSLContextStorage::store(SSLCertContext const& cc) +SSLContextStorage::store(SSLCertContext const &cc) { int idx = this->ctx_store.length(); this->ctx_store.add(cc); @@ -265,16 +281,17 @@ SSLContextStorage::store(SSLCertContext const& cc) } int -SSLContextStorage::insert(const char* name, SSLCertContext const& cc) +SSLContextStorage::insert(const char *name, SSLCertContext const &cc) { int idx = this->store(cc); idx = this->insert(name, idx); - if (idx < 0) this->ctx_store.drop(); + if (idx < 0) + this->ctx_store.drop(); return idx; } int -SSLContextStorage::insert(const char* name, int idx) +SSLContextStorage::insert(const char *name, int idx) { ats_wildcard_matcher wildcard; bool inserted = false; @@ -283,7 +300,7 @@ SSLContextStorage::insert(const char* name, int idx) // We turn wildcards into the reverse DNS form, then insert them into the trie // so that we can do a longest match lookup. char namebuf[TS_MAX_HOST_NAME_LEN + 1]; - char * reversed; + char *reversed; ats_scoped_obj<ContextRef> ref; reversed = reverse_dns_name(name + 1, namebuf); @@ -296,7 +313,7 @@ SSLContextStorage::insert(const char* name, int idx) int ref_idx = (*ref).idx; inserted = this->wildcards.Insert(reversed, ref, 0 /* rank */, -1 /* keylen */); if (!inserted) { - ContextRef * found; + ContextRef *found; // We fail to insert, so the longest wildcard match search should return the full match value. found = this->wildcards.Search(reversed); @@ -304,16 +321,16 @@ SSLContextStorage::insert(const char* name, int idx) // Otherwise we cannot detect and recover from a double insert // into the references array if (found != NULL) { - Warning("previously indexed wildcard certificate for '%s' as '%s', cannot index it with SSL_CTX #%d now", - name, reversed, idx); + Warning("previously indexed wildcard certificate for '%s' as '%s', cannot index it with SSL_CTX #%d now", name, reversed, + idx); } idx = -1; } else { ref.release(); // it's the hands of the Trie now, forget it and move on. } - Debug("ssl", "%s wildcard certificate for '%s' as '%s' with SSL_CTX %p [%d]", - idx >= 0 ? "index" : "failed to index", name, reversed, this->ctx_store[ref_idx].ctx, ref_idx); + Debug("ssl", "%s wildcard certificate for '%s' as '%s' with SSL_CTX %p [%d]", idx >= 0 ? "index" : "failed to index", name, + reversed, this->ctx_store[ref_idx].ctx, ref_idx); } else { InkHashTableValue value; @@ -321,16 +338,15 @@ SSLContextStorage::insert(const char* name, int idx) Warning("previously indexed '%s' with SSL_CTX %p, cannot index it with SSL_CTX #%d now", name, value, idx); idx = -1; } else { - ink_hash_table_insert(this->hostnames, name, reinterpret_cast<void*>(static_cast<intptr_t>(idx))); - Debug("ssl", "indexed '%s' with SSL_CTX %p [%d]", - name, this->ctx_store[idx].ctx, idx); + ink_hash_table_insert(this->hostnames, name, reinterpret_cast<void *>(static_cast<intptr_t>(idx))); + Debug("ssl", "indexed '%s' with SSL_CTX %p [%d]", name, this->ctx_store[idx].ctx, idx); } } return idx; } SSLCertContext * -SSLContextStorage::lookup(const char * name) const +SSLContextStorage::lookup(const char *name) const { InkHashTableValue value; @@ -340,8 +356,8 @@ SSLContextStorage::lookup(const char * name) const if (!this->wildcards.Empty()) { char namebuf[TS_MAX_HOST_NAME_LEN + 1]; - char * reversed; - ContextRef * ref; + char *reversed; + ContextRef *ref; reversed = reverse_dns_name(name, namebuf); if (!reversed) { @@ -361,7 +377,7 @@ SSLContextStorage::lookup(const char * name) const #if TS_HAS_TESTS -REGRESSION_TEST(SSLWildcardMatch)(RegressionTest * t, int /* atype ATS_UNUSED */, int * pstatus) +REGRESSION_TEST(SSLWildcardMatch)(RegressionTest *t, int /* atype ATS_UNUSED */, int *pstatus) { TestBox box(t, pstatus); ats_wildcard_matcher wildcard; @@ -375,7 +391,7 @@ REGRESSION_TEST(SSLWildcardMatch)(RegressionTest * t, int /* atype ATS_UNUSED */ box.check(wildcard.match("") == false, "'' is not a wildcard"); } -REGRESSION_TEST(SSLReverseHostname)(RegressionTest * t, int /* atype ATS_UNUSED */, int * pstatus) +REGRESSION_TEST(SSLReverseHostname)(RegressionTest *t, int /* atype ATS_UNUSED */, int *pstatus) { TestBox box(t, pstatus);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 627ccd2..acd8c19 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -54,30 +54,20 @@ size_t SSLConfigParams::session_cache_max_bucket_size = 100; init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = NULL; -static ConfigUpdateHandler<SSLCertificateConfig> * sslCertUpdate; +static ConfigUpdateHandler<SSLCertificateConfig> *sslCertUpdate; SSLConfigParams::SSLConfigParams() { - serverCertPathOnly = - serverCertChainFilename = - configFilePath = - serverCACertFilename = - serverCACertPath = - clientCertPath = - clientKeyPath = - clientCACertFilename = - clientCACertPath = - cipherSuite = - client_cipherSuite = - dhparamsFile = - serverKeyPathOnly = NULL; + serverCertPathOnly = serverCertChainFilename = configFilePath = serverCACertFilename = serverCACertPath = clientCertPath = + clientKeyPath = clientCACertFilename = clientCACertPath = cipherSuite = client_cipherSuite = dhparamsFile = serverKeyPathOnly = + NULL; clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0; ssl_ctx_options = 0; ssl_client_ctx_protocols = 0; ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL; - ssl_session_cache_size = 1024*100; + ssl_session_cache_size = 1024 * 100; ssl_session_cache_num_buckets = 1024; // Sessions per bucket is ceil(ssl_session_cache_size / ssl_session_cache_num_buckets) ssl_session_cache_skip_on_contention = 0; ssl_session_cache_timeout = 0; @@ -123,7 +113,7 @@ set_paths_helper(const char *path, const char *filename, char **final_path, char if (final_path) { if (path && path[0] != '/') { *final_path = RecConfigReadPrefixPath(NULL, path); - } else if (!path || path[0] == '\0'){ + } else if (!path || path[0] == '\0') { *final_path = RecConfigReadConfigDir(); } else { *final_path = ats_strdup(path); @@ -133,7 +123,6 @@ set_paths_helper(const char *path, const char *filename, char **final_path, char if (final_filename) { *final_filename = filename ? Layout::get()->relative_to(path, filename) : NULL; } - } void @@ -182,7 +171,7 @@ SSLConfigParams::initialize() if (!client_ssl_options) ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1; - // These are not available in all versions of OpenSSL (e.g. CentOS6). Also see http://s.apache.org/TS-2355. +// These are not available in all versions of OpenSSL (e.g. CentOS6). Also see http://s.apache.org/TS-2355. #ifdef SSL_OP_NO_TLSv1_1 REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1"); if (!options) @@ -218,7 +207,7 @@ SSLConfigParams::initialize() #endif } - // Enable ephemeral DH parameters for the case where we use a cipher with DH forward security. +// Enable ephemeral DH parameters for the case where we use a cipher with DH forward security. #ifdef SSL_OP_SINGLE_DH_USE ssl_ctx_options |= SSL_OP_SINGLE_DH_USE; #endif @@ -230,8 +219,8 @@ SSLConfigParams::initialize() // Enable all SSL compatibility workarounds. ssl_ctx_options |= SSL_OP_ALL; - // According to OpenSSL source, applications must enable this if they support the Server Name extension. Since - // we do, then we ought to enable this. Httpd also enables this unconditionally. +// According to OpenSSL source, applications must enable this if they support the Server Name extension. Since +// we do, then we ought to enable this. Httpd also enables this unconditionally. #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ssl_ctx_options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; #endif @@ -257,13 +246,11 @@ SSLConfigParams::initialize() REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache"); REC_ReadConfigInteger(ssl_session_cache_size, "proxy.config.ssl.session_cache.size"); REC_ReadConfigInteger(ssl_session_cache_num_buckets, "proxy.config.ssl.session_cache.num_buckets"); - REC_ReadConfigInteger(ssl_session_cache_skip_on_contention, - "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention"); + REC_ReadConfigInteger(ssl_session_cache_skip_on_contention, "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention"); REC_ReadConfigInteger(ssl_session_cache_timeout, "proxy.config.ssl.session_cache.timeout"); REC_ReadConfigInteger(ssl_session_cache_auto_clear, "proxy.config.ssl.session_cache.auto_clear"); - SSLConfigParams::session_cache_max_bucket_size = (size_t)ceil((double)ssl_session_cache_size / - ssl_session_cache_num_buckets); + SSLConfigParams::session_cache_max_bucket_size = (size_t)ceil((double)ssl_session_cache_size / ssl_session_cache_num_buckets); SSLConfigParams::session_cache_skip_on_lock_contention = ssl_session_cache_skip_on_contention; SSLConfigParams::session_cache_number_buckets = ssl_session_cache_num_buckets; @@ -316,18 +303,18 @@ SSLConfig::reconfigure() { SSLConfigParams *params; params = new SSLConfigParams; - params->initialize(); // re-read configuration + params->initialize(); // re-read configuration configid = configProcessor.set(configid, params); } SSLConfigParams * SSLConfig::acquire() { - return ((SSLConfigParams *) configProcessor.get(configid)); + return ((SSLConfigParams *)configProcessor.get(configid)); } void -SSLConfig::release(SSLConfigParams * params) +SSLConfig::release(SSLConfigParams *params) { configProcessor.release(configid, params); } @@ -353,7 +340,7 @@ SSLCertificateConfig::reconfigure() { bool retStatus = true; SSLConfig::scoped_config params; - SSLCertLookup * lookup = new SSLCertLookup(); + SSLCertLookup *lookup = new SSLCertLookup(); // Test SSL certificate loading startup. With large numbers of certificates, reloading can take time, so delay // twice the healthcheck period to simulate a loading a large certificate set. @@ -381,8 +368,7 @@ SSLCertificateConfig::acquire() } void -SSLCertificateConfig::release(SSLCertLookup * lookup) +SSLCertificateConfig::release(SSLCertLookup *lookup) { configProcessor.release(configid, lookup); } - http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLNetAccept.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetAccept.cc b/iocore/net/SSLNetAccept.cc index 9f5b196..b4017be 100644 --- a/iocore/net/SSLNetAccept.cc +++ b/iocore/net/SSLNetAccept.cc @@ -22,7 +22,7 @@ #include "ink_config.h" #include "P_Net.h" -typedef int (SSLNetAccept::*SSLNetAcceptHandler) (int, void *); +typedef int (SSLNetAccept::*SSLNetAcceptHandler)(int, void *); // Virtual function allows the correct // etype to be used in NetAccept functions (ET_SSL @@ -48,9 +48,9 @@ SSLNetAccept::init_accept_per_thread() if (do_listen(NON_BLOCKING)) return; if (accept_fn == net_accept) - SET_HANDLER((SSLNetAcceptHandler) & SSLNetAccept::acceptFastEvent); + SET_HANDLER((SSLNetAcceptHandler)&SSLNetAccept::acceptFastEvent); else - SET_HANDLER((SSLNetAcceptHandler) & SSLNetAccept::acceptEvent); + SET_HANDLER((SSLNetAcceptHandler)&SSLNetAccept::acceptEvent); period = ACCEPT_PERIOD; n = eventProcessor.n_threads_for_type[SSLNetProcessor::ET_SSL]; for (i = 0; i < n; i++) { http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLNetProcessor.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc index 761487c..f52611a 100644 --- a/iocore/net/SSLNetProcessor.cc +++ b/iocore/net/SSLNetProcessor.cc @@ -31,24 +31,21 @@ // Global Data // -SSLNetProcessor ssl_NetProcessor; -NetProcessor& sslNetProcessor = ssl_NetProcessor; -EventType SSLNetProcessor::ET_SSL; +SSLNetProcessor ssl_NetProcessor; +NetProcessor &sslNetProcessor = ssl_NetProcessor; +EventType SSLNetProcessor::ET_SSL; #ifdef HAVE_OPENSSL_OCSP_STAPLING -struct OCSPContinuation:public Continuation -{ - int mainEvent(int /* event ATS_UNUSED */, Event* /* e ATS_UNUSED */) +struct OCSPContinuation : public Continuation { + int + mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */) { ocsp_update(); return EVENT_CONT; } - OCSPContinuation():Continuation(new_ProxyMutex()) - { - SET_HANDLER(&OCSPContinuation::mainEvent); - } + OCSPContinuation() : Continuation(new_ProxyMutex()) { SET_HANDLER(&OCSPContinuation::mainEvent); } }; #endif /* HAVE_OPENSSL_OCSP_STAPLING */ @@ -68,7 +65,8 @@ SSLNetProcessor::start(int number_of_ssl_threads, size_t stacksize) SSLInitializeLibrary(); SSLConfig::startup(); - if (!SSLCertificateConfig::startup()) return -1; + if (!SSLCertificateConfig::startup()) + return -1; // Acquire a SSLConfigParams instance *after* we start SSL up. SSLConfig::scoped_config params; @@ -112,13 +110,13 @@ SSLNetProcessor::start(int number_of_ssl_threads, size_t stacksize) NetAccept * SSLNetProcessor::createNetAccept() { - return (NetAccept *) new SSLNetAccept; + return (NetAccept *)new SSLNetAccept; } // Virtual function allows etype to be upgraded to ET_SSL for SSLNetProcessor. Does // nothing for NetProcessor void -SSLNetProcessor::upgradeEtype(EventType & etype) +SSLNetProcessor::upgradeEtype(EventType &etype) { if (etype == ET_NET) { etype = ET_SSL; @@ -141,8 +139,7 @@ SSLNetProcessor::allocate_vc(EThread *t) return vc; } -SSLNetProcessor::SSLNetProcessor() - : client_ctx(NULL) +SSLNetProcessor::SSLNetProcessor() : client_ctx(NULL) { } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 168a9f8..3d58072 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -25,102 +25,107 @@ #include "P_Net.h" #include "P_SSLNextProtocolSet.h" #include "P_SSLUtils.h" -#include "InkAPIInternal.h" // Added to include the ssl_hook definitions +#include "InkAPIInternal.h" // Added to include the ssl_hook definitions // Defined in SSLInternal.c, should probably make a separate include // file for this at some point void SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio); -#define SSL_READ_ERROR_NONE 0 -#define SSL_READ_ERROR 1 -#define SSL_READ_READY 2 -#define SSL_READ_COMPLETE 3 -#define SSL_READ_WOULD_BLOCK 4 -#define SSL_READ_EOS 5 -#define SSL_HANDSHAKE_WANT_READ 6 -#define SSL_HANDSHAKE_WANT_WRITE 7 +#define SSL_READ_ERROR_NONE 0 +#define SSL_READ_ERROR 1 +#define SSL_READ_READY 2 +#define SSL_READ_COMPLETE 3 +#define SSL_READ_WOULD_BLOCK 4 +#define SSL_READ_EOS 5 +#define SSL_HANDSHAKE_WANT_READ 6 +#define SSL_HANDSHAKE_WANT_WRITE 7 #define SSL_HANDSHAKE_WANT_ACCEPT 8 #define SSL_HANDSHAKE_WANT_CONNECT 9 -#define SSL_WRITE_WOULD_BLOCK 10 -#define SSL_WAIT_FOR_HOOK 11 +#define SSL_WRITE_WOULD_BLOCK 10 +#define SSL_WAIT_FOR_HOOK 11 #ifndef UIO_MAXIOV -#define NET_MAX_IOV 16 // UIO_MAXIOV shall be at least 16 1003.1g (5.4.1.1) +#define NET_MAX_IOV 16 // UIO_MAXIOV shall be at least 16 1003.1g (5.4.1.1) #else #define NET_MAX_IOV UIO_MAXIOV #endif ClassAllocator<SSLNetVConnection> sslNetVCAllocator("sslNetVCAllocator"); -namespace { - /// Callback to get two locks. - /// The lock for this continuation, and for the target continuation. - class ContWrapper : public Continuation +namespace +{ +/// Callback to get two locks. +/// The lock for this continuation, and for the target continuation. +class ContWrapper : public Continuation +{ +public: + /** Constructor. + This takes the secondary @a mutex and the @a target continuation + to invoke, along with the arguments for that invocation. + */ + ContWrapper(ProxyMutex *mutex ///< Mutex for this continuation (primary lock). + , + Continuation *target ///< "Real" continuation we want to call. + , + int eventId = EVENT_IMMEDIATE ///< Event ID for invocation of @a target. + , + void *edata = 0 ///< Data for invocation of @a target. + ) + : Continuation(mutex), _target(target), _eventId(eventId), _edata(edata) { - public: - /** Constructor. - This takes the secondary @a mutex and the @a target continuation - to invoke, along with the arguments for that invocation. - */ - ContWrapper( - ProxyMutex* mutex ///< Mutex for this continuation (primary lock). - , Continuation* target ///< "Real" continuation we want to call. - , int eventId = EVENT_IMMEDIATE ///< Event ID for invocation of @a target. - , void* edata = 0 ///< Data for invocation of @a target. - ) - : Continuation(mutex) - , _target(target) - , _eventId(eventId) - , _edata(edata) - { - SET_HANDLER(&ContWrapper::event_handler); - } + SET_HANDLER(&ContWrapper::event_handler); + } - /// Required event handler method. - int event_handler(int, void*) - { - EThread* eth = this_ethread(); - - MUTEX_TRY_LOCK(lock, _target->mutex, eth); - if (lock.is_locked()) { // got the target lock, we can proceed. - _target->handleEvent(_eventId, _edata); - delete this; - } else { // can't get both locks, try again. - eventProcessor.schedule_imm(this, ET_NET); - } - return 0; + /// Required event handler method. + int + event_handler(int, void *) + { + EThread *eth = this_ethread(); + + MUTEX_TRY_LOCK(lock, _target->mutex, eth); + if (lock.is_locked()) { // got the target lock, we can proceed. + _target->handleEvent(_eventId, _edata); + delete this; + } else { // can't get both locks, try again. + eventProcessor.schedule_imm(this, ET_NET); } + return 0; + } - /** Convenience static method. - - This lets a client make one call and not have to (accurately) - copy the invocation logic embedded here. We duplicate it near - by textually so it is easier to keep in sync. - - This takes the same arguments as the constructor but, if the - lock can be obtained immediately, does not construct an - instance but simply calls the @a target. - */ - static void wrap( - ProxyMutex* mutex ///< Mutex for this continuation (primary lock). - , Continuation* target ///< "Real" continuation we want to call. - , int eventId = EVENT_IMMEDIATE ///< Event ID for invocation of @a target. - , void* edata = 0 ///< Data for invocation of @a target. - ) { - EThread* eth = this_ethread(); - MUTEX_TRY_LOCK(lock, target->mutex, eth); - if (lock.is_locked()) { - target->handleEvent(eventId, edata); - } else { - eventProcessor.schedule_imm(new ContWrapper(mutex, target, eventId, edata), ET_NET); - } + /** Convenience static method. + + This lets a client make one call and not have to (accurately) + copy the invocation logic embedded here. We duplicate it near + by textually so it is easier to keep in sync. + + This takes the same arguments as the constructor but, if the + lock can be obtained immediately, does not construct an + instance but simply calls the @a target. + */ + static void + wrap(ProxyMutex *mutex ///< Mutex for this continuation (primary lock). + , + Continuation *target ///< "Real" continuation we want to call. + , + int eventId = EVENT_IMMEDIATE ///< Event ID for invocation of @a target. + , + void *edata = 0 ///< Data for invocation of @a target. + ) + { + EThread *eth = this_ethread(); + MUTEX_TRY_LOCK(lock, target->mutex, eth); + if (lock.is_locked()) { + target->handleEvent(eventId, edata); + } else { + eventProcessor.schedule_imm(new ContWrapper(mutex, target, eventId, edata), ET_NET); } + } - private: - Continuation* _target; ///< Continuation to invoke. - int _eventId; ///< with this event - void* _edata; ///< and this data - }; +private: + Continuation *_target; ///< Continuation to invoke. + int _eventId; ///< with this event + void *_edata; ///< and this data +}; } // @@ -128,9 +133,9 @@ namespace { // static SSL * -make_ssl_connection(SSL_CTX * ctx, SSLNetVConnection * netvc) +make_ssl_connection(SSL_CTX *ctx, SSLNetVConnection *netvc) { - SSL * ssl; + SSL *ssl; if (likely(ssl = SSL_new(ctx))) { netvc->ssl = ssl; @@ -153,9 +158,9 @@ make_ssl_connection(SSL_CTX * ctx, SSLNetVConnection * netvc) } static void -debug_certificate_name(const char * msg, X509_NAME * name) +debug_certificate_name(const char *msg, X509_NAME *name) { - BIO * bio; + BIO *bio; if (name == NULL) { return; @@ -168,7 +173,7 @@ debug_certificate_name(const char * msg, X509_NAME * name) if (X509_NAME_print_ex(bio, name, 0 /* indent */, XN_FLAG_ONELINE) > 0) { long len; - char * ptr; + char *ptr; len = BIO_get_mem_data(bio, &ptr); Debug("ssl", "%s %.*s", msg, (int)len, ptr); } @@ -177,10 +182,10 @@ debug_certificate_name(const char * msg, X509_NAME * name) } static int -ssl_read_from_net(SSLNetVConnection * sslvc, EThread * lthread, int64_t &ret) +ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) { NetState *s = &sslvc->read; - MIOBufferAccessor & buf = s->vio.buffer; + MIOBufferAccessor &buf = s->vio.buffer; IOBufferBlock *b = buf.writer()->first_write_block(); int event = SSL_READ_ERROR_NONE; int64_t bytes_read; @@ -196,7 +201,7 @@ ssl_read_from_net(SSLNetVConnection * sslvc, EThread * lthread, int64_t &ret) int64_t offset = 0; // while can be replaced with if - need to test what works faster with openssl while (block_write_avail > 0) { - sslErr = SSLReadBuffer (sslvc->ssl, b->end() + offset, block_write_avail, nread); + sslErr = SSLReadBuffer(sslvc->ssl, b->end() + offset, block_write_avail, nread); Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] nread=%d", (int)nread); @@ -241,7 +246,7 @@ ssl_read_from_net(SSLNetVConnection * sslvc, EThread * lthread, int64_t &ret) } else { // then EOF observed, treat it as EOS event = SSL_READ_EOS; - //Error("[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL, EOF observed violating SSL protocol"); + // Error("[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL, EOF observed violating SSL protocol"); } break; case SSL_ERROR_ZERO_RETURN: @@ -255,10 +260,10 @@ ssl_read_from_net(SSLNetVConnection * sslvc, EThread * lthread, int64_t &ret) ret = errno; SSL_CLR_ERR_INCR_DYN_STAT(sslvc, ssl_error_ssl, "[SSL_NetVConnection::ssl_read_from_net]: errno=%d", errno); break; - } // switch + } // switch break; - } // while( block_write_avail > 0 ) - } // for ( bytes_read = 0; (b != 0); b = b->next) + } // while( block_write_avail > 0 ) + } // for ( bytes_read = 0; (b != 0); b = b->next) if (bytes_read > 0) { Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] bytes_read=%" PRId64, bytes_read); @@ -273,16 +278,15 @@ ssl_read_from_net(SSLNetVConnection * sslvc, EThread * lthread, int64_t &ret) } else { event = SSL_READ_READY; } - } else // if( bytes_read > 0 ) + } else // if( bytes_read > 0 ) { -#if defined (_DEBUG) +#if defined(_DEBUG) if (bytes_read == 0) { Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] bytes_read == 0"); } #endif } return (event); - } /** @@ -341,7 +345,6 @@ SSLNetVConnection::read_raw_data() } // check for errors if (r <= 0) { - if (r == -EAGAIN || r == -ENOTCONN) { NET_INCREMENT_DYN_STAT(net_calls_to_read_nodata_stat); return r; @@ -355,7 +358,6 @@ SSLNetVConnection::read_raw_data() NET_SUM_DYN_STAT(net_read_bytes_stat, r); this->handShakeBuffer->fill(r); - } char *start = this->handShakeReader->start(); @@ -372,7 +374,7 @@ SSLNetVConnection::read_raw_data() } -//changed by YTS Team, yamsat +// changed by YTS Team, yamsat void SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) { @@ -427,11 +429,10 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) this->handShakeReader->consume(this->handShakeBioStored); this->handShakeBioStored = 0; } - } - else { + } else { // Now in blind tunnel. Set things up to read what is in the buffer // Must send the READ_COMPLETE here before considering - // forwarding on the handshake buffer, so the + // forwarding on the handshake buffer, so the // SSLNextProtocolTrampoline has a chance to do its // thing before forwarding the buffers. this->readSignalDone(VC_EVENT_READ_COMPLETE, nh); @@ -505,17 +506,16 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) // Check out if there is anything left in the current bio if (!BIO_eof(SSL_get_rbio(this->ssl))) { // Still data remaining in the current BIO block - } - else { - // Consume what SSL has read so far. + } else { + // Consume what SSL has read so far. this->handShakeReader->consume(this->handShakeBioStored); - + // If we are empty now, switch over if (this->handShakeReader->read_avail() <= 0) { // Switch the read bio over to a socket bio SSL_set_rfd(this->ssl, this->get_socket()); this->free_handshake_buffers(); - } else { + } else { // Setup the next iobuffer block to drain char *start = this->handShakeReader->start(); char *end = this->handShakeReader->end(); @@ -526,7 +526,7 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) BIO *rbio = BIO_new_mem_buf(start, this->handShakeBioStored); BIO_set_mem_eof_return(rbio, -1); SSL_set_rbio(this, rbio); - } + } } } // Otherwise, we already replaced the buffer bio with a socket bio @@ -580,7 +580,8 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) break; case SSL_READ_EOS: - // close the connection if we have SSL_READ_EOS, this is the return value from ssl_read_from_net() if we get an SSL_ERROR_ZERO_RETURN from SSL_get_error() + // close the connection if we have SSL_READ_EOS, this is the return value from ssl_read_from_net() if we get an + // SSL_ERROR_ZERO_RETURN from SSL_get_error() // SSL_ERROR_ZERO_RETURN means that the origin server closed the SSL connection read.triggered = 0; readSignalDone(VC_EVENT_EOS, nh); @@ -601,12 +602,12 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) Debug("ssl", "read_from_net, read finished - read error"); break; } - } int64_t -SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, int64_t &total_written, MIOBufferAccessor & buf, int &needs) +SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, int64_t &total_written, MIOBufferAccessor &buf, + int &needs) { ProxyMutex *mutex = this_ethread()->mutex; int64_t r = 0; @@ -628,7 +629,8 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, i // reset sslTotalBytesSent upon inactivity for SSL_DEF_TLS_RECORD_MSEC_THRESHOLD sslTotalBytesSent = 0; } - Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite, now %" PRId64 ",lastwrite %" PRId64 " ,msec_since_last_write %d", now, sslLastWriteTime, msec_since_last_write); + Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite, now %" PRId64 ",lastwrite %" PRId64 " ,msec_since_last_write %d", now, + sslLastWriteTime, msec_since_last_write); } if (HttpProxyPort::TRANSPORT_BLIND_TUNNEL == this->attributes) { @@ -676,22 +678,23 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, i wattempted = l; total_written += l; - Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite, before SSLWriteBuffer, l=%" PRId64", towrite=%" PRId64", b=%p", - l, towrite, b); + Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite, before SSLWriteBuffer, l=%" PRId64 ", towrite=%" PRId64 ", b=%p", l, + towrite, b); err = SSLWriteBuffer(ssl, b->start() + offset, l, r); if (r == l) { wattempted = total_written; } if (l == orig_l) { - // on to the next block - offset = 0; - b = b->next; + // on to the next block + offset = 0; + b = b->next; } else { - offset += l; + offset += l; } - Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite,Number of bytes written=%" PRId64" , total=%" PRId64"", r, total_written); + Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite,Number of bytes written=%" PRId64 " , total=%" PRId64 "", r, + total_written); NET_INCREMENT_DYN_STAT(net_calls_to_write_stat); } while (r == l && total_written < towrite && b); @@ -735,7 +738,7 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, i SSL_INCREMENT_DYN_STAT(ssl_error_syscall); Debug("ssl.error", "SSL_write-SSL_ERROR_SYSCALL"); break; - // end of stream + // end of stream case SSL_ERROR_ZERO_RETURN: r = -errno; SSL_INCREMENT_DYN_STAT(ssl_error_zero_return); @@ -751,28 +754,17 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, i } } -SSLNetVConnection::SSLNetVConnection(): - ssl(NULL), - sslHandshakeBeginTime(0), - sslLastWriteTime(0), - sslTotalBytesSent(0), - hookOpRequested(TS_SSL_HOOK_OP_DEFAULT), - sslHandShakeComplete(false), - sslClientConnection(false), - sslClientRenegotiationAbort(false), - handShakeBuffer(NULL), - handShakeHolder(NULL), - handShakeReader(NULL), - handShakeBioStored(0), - sslPreAcceptHookState(SSL_HOOKS_INIT), - sslHandshakeHookState(HANDSHAKE_HOOKS_PRE), - npnSet(NULL), - npnEndpoint(NULL) +SSLNetVConnection::SSLNetVConnection() + : ssl(NULL), sslHandshakeBeginTime(0), sslLastWriteTime(0), sslTotalBytesSent(0), hookOpRequested(TS_SSL_HOOK_OP_DEFAULT), + sslHandShakeComplete(false), sslClientConnection(false), sslClientRenegotiationAbort(false), handShakeBuffer(NULL), + handShakeHolder(NULL), handShakeReader(NULL), handShakeBioStored(0), sslPreAcceptHookState(SSL_HOOKS_INIT), + sslHandshakeHookState(HANDSHAKE_HOOKS_PRE), npnSet(NULL), npnEndpoint(NULL) { } void -SSLNetVConnection::free(EThread * t) { +SSLNetVConnection::free(EThread *t) +{ NET_SUM_GLOBAL_DYN_STAT(net_connections_currently_open_stat, -1); got_remote_addr = 0; got_local_addr = 0; @@ -780,7 +772,7 @@ SSLNetVConnection::free(EThread * t) { write.vio.mutex.clear(); this->mutex.clear(); flags = 0; - SET_CONTINUATION_HANDLER(this, (SSLNetVConnHandler) & SSLNetVConnection::startEvent); + SET_CONTINUATION_HANDLER(this, (SSLNetVConnHandler)&SSLNetVConnection::startEvent); nh = NULL; read.triggered = 0; write.triggered = 0; @@ -805,7 +797,7 @@ SSLNetVConnection::free(EThread * t) { curHook = 0; hookOpRequested = TS_SSL_HOOK_OP_DEFAULT; npnSet = NULL; - npnEndpoint= NULL; + npnEndpoint = NULL; free_handshake_buffers(); if (from_accept_thread) { @@ -818,7 +810,6 @@ SSLNetVConnection::free(EThread * t) { int SSLNetVConnection::sslStartHandShake(int event, int &err) { - switch (event) { case SSL_EVENT_SERVER: if (this->ssl == NULL) { @@ -880,7 +871,6 @@ SSLNetVConnection::sslStartHandShake(int event, int &err) ink_assert(0); return EVENT_ERROR; } - } int @@ -905,12 +895,12 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) return SSL_WAIT_FOR_HOOK; } } else { // waiting for hook to complete - /* A note on waiting for the hook. I believe that because this logic - cannot proceed as long as a hook is outstanding, the underlying VC - can't go stale. If that can happen for some reason, we'll need to be - more clever and provide some sort of cancel mechanism. I have a trap - in SSLNetVConnection::free to check for this. - */ + /* A note on waiting for the hook. I believe that because this logic + cannot proceed as long as a hook is outstanding, the underlying VC + can't go stale. If that can happen for some reason, we'll need to be + more clever and provide some sort of cancel mechanism. I have a trap + in SSLNetVConnection::free to check for this. + */ return SSL_WAIT_FOR_HOOK; } } @@ -945,10 +935,10 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) if (ssl_error != SSL_ERROR_NONE) { err = errno; - SSLDebugVC(this,"SSL handshake error: %s (%d), errno=%d", SSLErrorName(ssl_error), ssl_error, err); + SSLDebugVC(this, "SSL handshake error: %s (%d), errno=%d", SSLErrorName(ssl_error), ssl_error, err); // start a blind tunnel if tr-pass is set and data does not look like ClientHello - char* buf = handShakeBuffer->buf(); + char *buf = handShakeBuffer->buf(); if (getTransparentPassThrough() && buf && *buf != SSL_OP_HANDSHAKE) { SSLDebugVC(this, "Data does not look like SSL handshake, starting blind tunnel"); this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; @@ -960,7 +950,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) switch (ssl_error) { case SSL_ERROR_NONE: if (is_debug_tag_set("ssl")) { - X509 * cert = SSL_get_peer_certificate(ssl); + X509 *cert = SSL_get_peer_certificate(ssl); Debug("ssl", "SSL server handshake completed successfully"); if (cert) { @@ -981,13 +971,13 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) } { - const unsigned char * proto = NULL; + const unsigned char *proto = NULL; unsigned len = 0; - // If it's possible to negotiate both NPN and ALPN, then ALPN - // is preferred since it is the server's preference. The server - // preference would not be meaningful if we let the client - // preference have priority. +// If it's possible to negotiate both NPN and ALPN, then ALPN +// is preferred since it is the server's preference. The server +// preference would not be meaningful if we let the client +// preference have priority. #if TS_USE_TLS_ALPN SSL_get0_alpn_selected(ssl, &proto, &len); @@ -1030,7 +1020,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) // This value is only defined in openssl has been patched to // enable the sni callback to break out of the SSL_accept processing -#ifdef SSL_ERROR_WANT_SNI_RESOLVE +#ifdef SSL_ERROR_WANT_SNI_RESOLVE case SSL_ERROR_WANT_X509_LOOKUP: return EVENT_CONT; case SSL_ERROR_WANT_SNI_RESOLVE: @@ -1038,13 +1028,11 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) case SSL_ERROR_WANT_X509_LOOKUP: #endif #if defined(SSL_ERROR_WANT_SNI_RESOLVE) || defined(SSL_ERROR_WANT_X509_LOOKUP) - if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL || - TS_SSL_HOOK_OP_TUNNEL == hookOpRequested) { + if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL || TS_SSL_HOOK_OP_TUNNEL == hookOpRequested) { this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; sslHandShakeComplete = 0; return EVENT_CONT; - } - else { + } else { // Stopping for some other reason, perhaps loading certificate return SSL_WAIT_FOR_HOOK; } @@ -1055,13 +1043,12 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) case SSL_ERROR_SSL: SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=%d", errno); - // fall through + // fall through case SSL_ERROR_ZERO_RETURN: case SSL_ERROR_SYSCALL: default: return EVENT_ERROR; } - } @@ -1073,7 +1060,7 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) if (SSL_set_tlsext_host_name(ssl, options.sni_servername)) { Debug("ssl", "using SNI name '%s' for client handshake", options.sni_servername.get()); } else { - Debug("ssl.error","failed to set SNI name '%s' for client handshake", options.sni_servername.get()); + Debug("ssl.error", "failed to set SNI name '%s' for client handshake", options.sni_servername.get()); SSL_INCREMENT_DYN_STAT(ssl_sni_name_set_failure); } } @@ -1083,7 +1070,7 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) switch (ssl_error) { case SSL_ERROR_NONE: if (is_debug_tag_set("ssl")) { - X509 * cert = SSL_get_peer_certificate(ssl); + X509 *cert = SSL_get_peer_certificate(ssl); Debug("ssl", "SSL client handshake completed successfully"); // if the handshake is complete and write is enabled reschedule the write @@ -1140,14 +1127,12 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_SSL errno=%d", errno); return EVENT_ERROR; break; - } return EVENT_CONT; - } void -SSLNetVConnection::registerNextProtocolSet(const SSLNextProtocolSet * s) +SSLNetVConnection::registerNextProtocolSet(const SSLNextProtocolSet *s) { ink_release_assert(this->npnSet == NULL); this->npnSet = s; @@ -1157,10 +1142,9 @@ SSLNetVConnection::registerNextProtocolSet(const SSLNextProtocolSet * s) // allows the client to select a preferred protocol, so all we have // to do here is tell them what out protocol set is. int -SSLNetVConnection::advertise_next_protocol(SSL *ssl, const unsigned char **out, unsigned int *outlen, - void * /*arg ATS_UNUSED */) +SSLNetVConnection::advertise_next_protocol(SSL *ssl, const unsigned char **out, unsigned int *outlen, void * /*arg ATS_UNUSED */) { - SSLNetVConnection * netvc = (SSLNetVConnection *)SSL_get_app_data(ssl); + SSLNetVConnection *netvc = (SSLNetVConnection *)SSL_get_app_data(ssl); ink_release_assert(netvc != NULL); @@ -1175,17 +1159,18 @@ SSLNetVConnection::advertise_next_protocol(SSL *ssl, const unsigned char **out, // ALPN TLS extension callback. Given the client's set of offered // protocols, we have to select a protocol to use for this session. int -SSLNetVConnection::select_next_protocol(SSL * ssl, const unsigned char ** out, unsigned char * outlen, const unsigned char * in ATS_UNUSED, unsigned inlen ATS_UNUSED, void *) +SSLNetVConnection::select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, + const unsigned char *in ATS_UNUSED, unsigned inlen ATS_UNUSED, void *) { - SSLNetVConnection * netvc = (SSLNetVConnection *)SSL_get_app_data(ssl); - const unsigned char * npn = NULL; + SSLNetVConnection *netvc = (SSLNetVConnection *)SSL_get_app_data(ssl); + const unsigned char *npn = NULL; unsigned npnsz = 0; ink_release_assert(netvc != NULL); if (netvc->npnSet && netvc->npnSet->advertiseProtocols(&npn, &npnsz)) { - // SSL_select_next_proto chooses the first server-offered protocol that appears in the clients protocol set, ie. the - // server selects the protocol. This is a n^2 search, so it's preferable to keep the protocol set short. +// SSL_select_next_proto chooses the first server-offered protocol that appears in the clients protocol set, ie. the +// server selects the protocol. This is a n^2 search, so it's preferable to keep the protocol set short. #if HAVE_SSL_SELECT_NEXT_PROTO if (SSL_select_next_proto((unsigned char **)out, outlen, npn, npnsz, in, inlen) == OPENSSL_NPN_NEGOTIATED) { @@ -1201,7 +1186,8 @@ SSLNetVConnection::select_next_protocol(SSL * ssl, const unsigned char ** out, u } void -SSLNetVConnection::reenable(NetHandler* nh) { +SSLNetVConnection::reenable(NetHandler *nh) +{ if (this->sslPreAcceptHookState != SSL_HOOKS_DONE) { this->sslPreAcceptHookState = SSL_HOOKS_INVOKE; this->readReschedule(nh); @@ -1215,7 +1201,7 @@ SSLNetVConnection::reenable(NetHandler* nh) { // here in the reenable. if (curHook != NULL) { curHook = curHook->next(); - if (curHook != NULL) { + if (curHook != NULL) { // Invoke the hook curHook->invoke(TS_SSL_CERT_HOOK, this); } @@ -1229,11 +1215,12 @@ SSLNetVConnection::reenable(NetHandler* nh) { bool -SSLNetVConnection::sslContextSet(void* ctx) { +SSLNetVConnection::sslContextSet(void *ctx) +{ #if TS_USE_TLS_SNI bool zret = true; if (ssl) - SSL_set_SSL_CTX(ssl, static_cast<SSL_CTX*>(ctx)); + SSL_set_SSL_CTX(ssl, static_cast<SSL_CTX *>(ctx)); else zret = false; #else @@ -1245,7 +1232,7 @@ SSLNetVConnection::sslContextSet(void* ctx) { bool SSLNetVConnection::callHooks(TSHttpHookID eventId) { - // Only dealing with the SNI/CERT hook so far. + // Only dealing with the SNI/CERT hook so far. // TS_SSL_SNI_HOOK and TS_SSL_CERT_HOOK are the same value ink_assert(eventId == TS_SSL_CERT_HOOK); @@ -1261,8 +1248,7 @@ SSLNetVConnection::callHooks(TSHttpHookID eventId) } else { curHook = ssl_hooks->get(TS_SSL_CERT_INTERNAL_HOOK); } - } - else { + } else { // Not in the right state, or no plugins registered for this hook // reenable and continue return true; @@ -1279,5 +1265,3 @@ SSLNetVConnection::callHooks(TSHttpHookID eventId) this->sslHandshakeHookState = holdState; return reenabled; } - - http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLNextProtocolAccept.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNextProtocolAccept.cc b/iocore/net/SSLNextProtocolAccept.cc index 9dce31c..ad347f2 100644 --- a/iocore/net/SSLNextProtocolAccept.cc +++ b/iocore/net/SSLNextProtocolAccept.cc @@ -24,10 +24,10 @@ #include "P_SSLNextProtocolAccept.h" static void -send_plugin_event(Continuation * plugin, int event, void * edata) +send_plugin_event(Continuation *plugin, int event, void *edata) { if (plugin->mutex) { - EThread * thread(this_ethread()); + EThread *thread(this_ethread()); MUTEX_TAKE_LOCK(plugin->mutex, thread); plugin->handleEvent(event, edata); MUTEX_UNTAKE_LOCK(plugin->mutex, thread); @@ -37,11 +37,11 @@ send_plugin_event(Continuation * plugin, int event, void * edata) } static SSLNetVConnection * -ssl_netvc_cast(int event, void * edata) +ssl_netvc_cast(int event, void *edata) { union { - VIO * vio; - NetVConnection * vc; + VIO *vio; + NetVConnection *vc; } ptr; switch (event) { @@ -63,20 +63,18 @@ ssl_netvc_cast(int event, void * edata) // NPN extension. The Continuation that receives the read event *must* have a mutex, but we don't want to take a global // lock across the handshake, so we make a trampoline to bounce the event from the SSL acceptor to the ultimate session // acceptor. -struct SSLNextProtocolTrampoline : public Continuation -{ - explicit - SSLNextProtocolTrampoline(const SSLNextProtocolAccept * npn, ProxyMutex* mutex) - : Continuation(mutex), npnParent(npn) +struct SSLNextProtocolTrampoline : public Continuation { + explicit SSLNextProtocolTrampoline(const SSLNextProtocolAccept *npn, ProxyMutex *mutex) : Continuation(mutex), npnParent(npn) { SET_HANDLER(&SSLNextProtocolTrampoline::ioCompletionEvent); } - int ioCompletionEvent(int event, void * edata) + int + ioCompletionEvent(int event, void *edata) { - VIO * vio; - Continuation * plugin; - SSLNetVConnection * netvc; + VIO *vio; + Continuation *plugin; + SSLNetVConnection *netvc; vio = static_cast<VIO *>(edata); netvc = dynamic_cast<SSLNetVConnection *>(vio->vc_server); @@ -111,13 +109,13 @@ struct SSLNextProtocolTrampoline : public Continuation return EVENT_CONT; } - const SSLNextProtocolAccept * npnParent; + const SSLNextProtocolAccept *npnParent; }; int -SSLNextProtocolAccept::mainEvent(int event, void * edata) +SSLNextProtocolAccept::mainEvent(int event, void *edata) { - SSLNetVConnection * netvc = ssl_netvc_cast(event, edata); + SSLNetVConnection *netvc = ssl_netvc_cast(event, edata); netvc->sslHandshakeBeginTime = ink_get_hrtime(); Debug("ssl", "[SSLNextProtocolAccept:mainEvent] event %d netvc %p", event, netvc); @@ -148,22 +146,19 @@ SSLNextProtocolAccept::accept(NetVConnection *, MIOBuffer *, IOBufferReader *) } bool -SSLNextProtocolAccept::registerEndpoint( - const char * protocol, Continuation * handler) +SSLNextProtocolAccept::registerEndpoint(const char *protocol, Continuation *handler) { return this->protoset.registerEndpoint(protocol, handler); } bool -SSLNextProtocolAccept::unregisterEndpoint( - const char * protocol, Continuation * handler) +SSLNextProtocolAccept::unregisterEndpoint(const char *protocol, Continuation *handler) { return this->protoset.unregisterEndpoint(protocol, handler); } -SSLNextProtocolAccept::SSLNextProtocolAccept(Continuation * ep, bool transparent_passthrough) - : SessionAccept(NULL), buffer(new_empty_MIOBuffer()), endpoint(ep), - transparent_passthrough(transparent_passthrough) +SSLNextProtocolAccept::SSLNextProtocolAccept(Continuation *ep, bool transparent_passthrough) + : SessionAccept(NULL), buffer(new_empty_MIOBuffer()), endpoint(ep), transparent_passthrough(transparent_passthrough) { SET_HANDLER(&SSLNextProtocolAccept::mainEvent); } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLNextProtocolSet.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNextProtocolSet.cc b/iocore/net/SSLNextProtocolSet.cc index df0e5a1..751f67a 100644 --- a/iocore/net/SSLNextProtocolSet.cc +++ b/iocore/net/SSLNextProtocolSet.cc @@ -34,7 +34,7 @@ // not say how many bytes the length is. For the record, it's 1. unsigned char * -append_protocol(const char * proto, unsigned char * buf) +append_protocol(const char *proto, unsigned char *buf) { size_t sz = strlen(proto); *buf++ = (unsigned char)sz; @@ -43,12 +43,10 @@ append_protocol(const char * proto, unsigned char * buf) } static bool -create_npn_advertisement( - const SSLNextProtocolSet::NextProtocolEndpoint::list_type& endpoints, - unsigned char ** npn, size_t * len) +create_npn_advertisement(const SSLNextProtocolSet::NextProtocolEndpoint::list_type &endpoints, unsigned char **npn, size_t *len) { - const SSLNextProtocolSet::NextProtocolEndpoint * ep; - unsigned char * advertised; + const SSLNextProtocolSet::NextProtocolEndpoint *ep; + unsigned char *advertised; *npn = NULL; *len = 0; @@ -77,7 +75,7 @@ fail: } bool -SSLNextProtocolSet::advertiseProtocols(const unsigned char ** out, unsigned * len) const +SSLNextProtocolSet::advertiseProtocols(const unsigned char **out, unsigned *len) const { if (npn && npnsz) { *out = npn; @@ -89,7 +87,7 @@ SSLNextProtocolSet::advertiseProtocols(const unsigned char ** out, unsigned * le } bool -SSLNextProtocolSet::registerEndpoint(const char * proto, Continuation * ep) +SSLNextProtocolSet::registerEndpoint(const char *proto, Continuation *ep) { size_t len = strlen(proto); @@ -116,11 +114,9 @@ SSLNextProtocolSet::registerEndpoint(const char * proto, Continuation * ep) } bool -SSLNextProtocolSet::unregisterEndpoint(const char * proto, Continuation * ep) +SSLNextProtocolSet::unregisterEndpoint(const char *proto, Continuation *ep) { - - for (NextProtocolEndpoint * e = this->endpoints.head; - e; e = this->endpoints.next(e)) { + for (NextProtocolEndpoint *e = this->endpoints.head; e; e = this->endpoints.next(e)) { if (strcmp(proto, e->protocol) == 0 && e->endpoint == ep) { // Protocol must be registered only once; no need to remove // any more entries. @@ -133,10 +129,9 @@ SSLNextProtocolSet::unregisterEndpoint(const char * proto, Continuation * ep) } Continuation * -SSLNextProtocolSet::findEndpoint( - const unsigned char * proto, unsigned len) const +SSLNextProtocolSet::findEndpoint(const unsigned char *proto, unsigned len) const { - for (const NextProtocolEndpoint * ep = this->endpoints.head; ep != NULL; ep = this->endpoints.next(ep)) { + for (const NextProtocolEndpoint *ep = this->endpoints.head; ep != NULL; ep = this->endpoints.next(ep)) { size_t sz = strlen(ep->protocol); if (sz == len && memcmp(ep->protocol, proto, len) == 0) { return ep->endpoint; @@ -145,8 +140,7 @@ SSLNextProtocolSet::findEndpoint( return NULL; } -SSLNextProtocolSet::SSLNextProtocolSet() - : npn(0), npnsz(0) +SSLNextProtocolSet::SSLNextProtocolSet() : npn(0), npnsz(0) { } @@ -154,14 +148,13 @@ SSLNextProtocolSet::~SSLNextProtocolSet() { ats_free(this->npn); - for (NextProtocolEndpoint * ep; (ep = this->endpoints.pop());) { + for (NextProtocolEndpoint *ep; (ep = this->endpoints.pop());) { delete ep; } } -SSLNextProtocolSet::NextProtocolEndpoint::NextProtocolEndpoint( - const char * _proto, Continuation * _ep) - : protocol(_proto), endpoint(_ep) +SSLNextProtocolSet::NextProtocolEndpoint::NextProtocolEndpoint(const char *_proto, Continuation *_ep) + : protocol(_proto), endpoint(_ep) { } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLSessionCache.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLSessionCache.cc b/iocore/net/SSLSessionCache.cc index 6fdd3c5..740b14f 100644 --- a/iocore/net/SSLSessionCache.cc +++ b/iocore/net/SSLSessionCache.cc @@ -37,30 +37,33 @@ using ts::detail::RBNode; /* Session Cache */ -SSLSessionCache::SSLSessionCache() - : session_bucket(NULL), nbuckets(SSLConfigParams::session_cache_number_buckets) +SSLSessionCache::SSLSessionCache() : session_bucket(NULL), nbuckets(SSLConfigParams::session_cache_number_buckets) { - Debug("ssl.session_cache", "Created new ssl session cache %p with %zu buckets each with size max size %zu", - this, nbuckets, SSLConfigParams::session_cache_max_bucket_size); + Debug("ssl.session_cache", "Created new ssl session cache %p with %zu buckets each with size max size %zu", this, nbuckets, + SSLConfigParams::session_cache_max_bucket_size); session_bucket = new SSLSessionBucket[nbuckets]; } -SSLSessionCache::~SSLSessionCache() { - delete []session_bucket; +SSLSessionCache::~SSLSessionCache() +{ + delete[] session_bucket; } -bool SSLSessionCache::getSession(const SSLSessionID &sid, SSL_SESSION **sess) const { +bool +SSLSessionCache::getSession(const SSLSessionID &sid, SSL_SESSION **sess) const +{ uint64_t hash = sid.hash(); uint64_t target_bucket = hash % nbuckets; SSLSessionBucket *bucket = &session_bucket[target_bucket]; bool ret = false; if (is_debug_tag_set("ssl.session_cache")) { - char buf[sid.len * 2 + 1]; - sid.toString(buf, sizeof(buf)); - Debug("ssl.session_cache.get", "SessionCache looking in bucket %" PRId64 " (%p) for session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf, hash); - } + char buf[sid.len * 2 + 1]; + sid.toString(buf, sizeof(buf)); + Debug("ssl.session_cache.get", "SessionCache looking in bucket %" PRId64 " (%p) for session '%s' (hash: %" PRIX64 ").", + target_bucket, bucket, buf, hash); + } ret = bucket->getSession(sid, sess); @@ -72,41 +75,49 @@ bool SSLSessionCache::getSession(const SSLSessionID &sid, SSL_SESSION **sess) co return ret; } -void SSLSessionCache::removeSession(const SSLSessionID &sid) { +void +SSLSessionCache::removeSession(const SSLSessionID &sid) +{ uint64_t hash = sid.hash(); uint64_t target_bucket = hash % nbuckets; SSLSessionBucket *bucket = &session_bucket[target_bucket]; if (is_debug_tag_set("ssl.session_cache")) { - char buf[sid.len * 2 + 1]; - sid.toString(buf, sizeof(buf)); - Debug("ssl.session_cache.remove", "SessionCache using bucket %" PRId64 " (%p): Removing session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf, hash); - } + char buf[sid.len * 2 + 1]; + sid.toString(buf, sizeof(buf)); + Debug("ssl.session_cache.remove", "SessionCache using bucket %" PRId64 " (%p): Removing session '%s' (hash: %" PRIX64 ").", + target_bucket, bucket, buf, hash); + } SSL_INCREMENT_DYN_STAT(ssl_session_cache_eviction); bucket->removeSession(sid); } -void SSLSessionCache::insertSession(const SSLSessionID &sid, SSL_SESSION *sess) { +void +SSLSessionCache::insertSession(const SSLSessionID &sid, SSL_SESSION *sess) +{ uint64_t hash = sid.hash(); uint64_t target_bucket = hash % nbuckets; SSLSessionBucket *bucket = &session_bucket[target_bucket]; if (is_debug_tag_set("ssl.session_cache")) { - char buf[sid.len * 2 + 1]; - sid.toString(buf, sizeof(buf)); - Debug("ssl.session_cache.insert", "SessionCache using bucket %" PRId64 " (%p): Inserting session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf, hash); - } + char buf[sid.len * 2 + 1]; + sid.toString(buf, sizeof(buf)); + Debug("ssl.session_cache.insert", "SessionCache using bucket %" PRId64 " (%p): Inserting session '%s' (hash: %" PRIX64 ").", + target_bucket, bucket, buf, hash); + } bucket->insertSession(sid, sess); } -void SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess) { +void +SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess) +{ size_t len = i2d_SSL_SESSION(sess, NULL); // make sure we're not going to need more than SSL_MAX_SESSION_SIZE bytes /* do not cache a session that's too big. */ - if (len > (size_t) SSL_MAX_SESSION_SIZE) { - Debug("ssl.session_cache", "Unable to save SSL session because size of %zd exceeds the max of %d", len, SSL_MAX_SESSION_SIZE); - return; + if (len > (size_t)SSL_MAX_SESSION_SIZE) { + Debug("ssl.session_cache", "Unable to save SSL session because size of %zd exceeds the max of %d", len, SSL_MAX_SESSION_SIZE); + return; } if (is_debug_tag_set("ssl.session_cache")) { @@ -134,7 +145,7 @@ void SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess) PRINT_BUCKET("insertSession before") if (queue.size >= static_cast<int>(SSLConfigParams::session_cache_max_bucket_size)) { - removeOldestSession(); + removeOldestSession(); } /* do the actual insert */ @@ -143,23 +154,24 @@ void SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess) PRINT_BUCKET("insertSession after") } -bool SSLSessionBucket::getSession(const SSLSessionID &id, - SSL_SESSION **sess) { +bool +SSLSessionBucket::getSession(const SSLSessionID &id, SSL_SESSION **sess) +{ char buf[id.len * 2 + 1]; buf[0] = '\0'; // just to be safe. if (is_debug_tag_set("ssl.session_cache")) { - id.toString(buf, sizeof(buf)); + id.toString(buf, sizeof(buf)); } Debug("ssl.session_cache", "Looking for session with id '%s' in bucket %p", buf, this); MUTEX_TRY_LOCK(lock, mutex, this_ethread()); if (!lock.is_locked()) { - SSL_INCREMENT_DYN_STAT(ssl_session_cache_lock_contention); - if (SSLConfigParams::session_cache_skip_on_lock_contention) - return false; + SSL_INCREMENT_DYN_STAT(ssl_session_cache_lock_contention); + if (SSLConfigParams::session_cache_skip_on_lock_contention) + return false; - lock.acquire(this_ethread()); + lock.acquire(this_ethread()); } PRINT_BUCKET("getSession") @@ -167,12 +179,11 @@ bool SSLSessionBucket::getSession(const SSLSessionID &id, // We work backwards because that's the most likely place we'll find our session... SSLSession *node = queue.tail; while (node) { - if (node->session_id == id) - { - const unsigned char *loc = reinterpret_cast<const unsigned char *>(node->asn1_data->data()); - *sess = d2i_SSL_SESSION(NULL, &loc, node->len_asn1_data); + if (node->session_id == id) { + const unsigned char *loc = reinterpret_cast<const unsigned char *>(node->asn1_data->data()); + *sess = d2i_SSL_SESSION(NULL, &loc, node->len_asn1_data); - return true; + return true; } node = node->link.prev; } @@ -181,10 +192,11 @@ bool SSLSessionBucket::getSession(const SSLSessionID &id, return false; } -void inline SSLSessionBucket::print(const char *ref_str) const { +void inline SSLSessionBucket::print(const char *ref_str) const +{ /* NOTE: This method assumes you're already holding the bucket lock */ if (!is_debug_tag_set("ssl.session_cache.bucket")) { - return; + return; } fprintf(stderr, "-------------- BUCKET %p (%s) ----------------\n", this, ref_str); @@ -192,7 +204,7 @@ void inline SSLSessionBucket::print(const char *ref_str) const { fprintf(stderr, "Queue: \n"); SSLSession *node = queue.head; - while(node) { + while (node) { char s_buf[2 * node->session_id.len + 1]; node->session_id.toString(s_buf, sizeof(s_buf)); fprintf(stderr, " %s\n", s_buf); @@ -200,8 +212,7 @@ void inline SSLSessionBucket::print(const char *ref_str) const { } } -void inline -SSLSessionBucket::removeOldestSession() +void inline SSLSessionBucket::removeOldestSession() { // Caller must hold the bucket lock. ink_assert(this_ethread() == mutex->thread_holding); @@ -212,19 +223,21 @@ SSLSessionBucket::removeOldestSession() if (is_debug_tag_set("ssl.session_cache")) { char buf[old_head->session_id.len * 2 + 1]; old_head->session_id.toString(buf, sizeof(buf)); - Debug("ssl.session_cache", "Removing session '%s' from bucket %p because the bucket has size %d and max %zd", buf, this, (queue.size + 1), SSLConfigParams::session_cache_max_bucket_size); + Debug("ssl.session_cache", "Removing session '%s' from bucket %p because the bucket has size %d and max %zd", buf, this, + (queue.size + 1), SSLConfigParams::session_cache_max_bucket_size); } delete old_head; } PRINT_BUCKET("removeOldestSession after") } -void SSLSessionBucket::removeSession(const SSLSessionID &id) { +void +SSLSessionBucket::removeSession(const SSLSessionID &id) +{ MUTEX_LOCK(lock, mutex, this_ethread()); // We can't bail on contention here because this session MUST be removed. SSLSession *node = queue.head; while (node) { - if (node->session_id == id) - { + if (node->session_id == id) { queue.remove(node); delete node; return; @@ -240,5 +253,3 @@ SSLSessionBucket::SSLSessionBucket() : mutex(new_ProxyMutex()) SSLSessionBucket::~SSLSessionBucket() { } - - http://git-wip-us.apache.org/repos/asf/trafficserver/blob/65477944/iocore/net/SSLSessionCache.h ---------------------------------------------------------------------- diff --git a/iocore/net/SSLSessionCache.h b/iocore/net/SSLSessionCache.h index a0e6f30..15a0a3f 100644 --- a/iocore/net/SSLSessionCache.h +++ b/iocore/net/SSLSessionCache.h @@ -39,26 +39,30 @@ struct SSLSessionID { char bytes[SSL_MAX_SSL_SESSION_ID_LENGTH]; size_t len; - SSLSessionID(const unsigned char *s, size_t l) : len(l) { + SSLSessionID(const unsigned char *s, size_t l) : len(l) + { ink_release_assert(l <= sizeof(bytes)); memcpy(bytes, s, l); } - SSLSessionID(const SSLSessionID& other) { + SSLSessionID(const SSLSessionID &other) + { if (other.len) memcpy(bytes, other.bytes, other.len); len = other.len; } - bool operator<(const SSLSessionID &other) const { - if (len != other.len) - return len < other.len; + bool operator<(const SSLSessionID &other) const + { + if (len != other.len) + return len < other.len; - return (memcmp(bytes, other.bytes, len) < 0); - } + return (memcmp(bytes, other.bytes, len) < 0); + } - SSLSessionID& operator=(const SSLSessionID& other) { + SSLSessionID &operator=(const SSLSessionID &other) + { if (other.len) memcpy(bytes, other.bytes, other.len); @@ -66,15 +70,18 @@ struct SSLSessionID { return *this; } - bool operator==(const SSLSessionID &other) const { - if (len != other.len) - return false; + bool operator==(const SSLSessionID &other) const + { + if (len != other.len) + return false; - // memcmp returns 0 on equal - return (memcmp(bytes, other.bytes, len) == 0); + // memcmp returns 0 on equal + return (memcmp(bytes, other.bytes, len) == 0); } - const char *toString(char *buf, size_t buflen) const { + const char * + toString(char *buf, size_t buflen) const + { char *cur_pos = buf; for (size_t i = 0; i < len && buflen > 0; ++i) { if (buflen > 2) { // we have enough space for 3 bytes, 2 hex and 1 null terminator @@ -89,7 +96,9 @@ struct SSLSessionID { return buf; } - uint64_t hash() const { + uint64_t + hash() const + { // because the session ids should be uniformly random let's just use the upper 64 bits as the hash. if (len >= sizeof(uint64_t)) return *reinterpret_cast<uint64_t *>(const_cast<char *>(bytes)); @@ -98,23 +107,25 @@ struct SSLSessionID { else return 0; } - }; -class SSLSession { +class SSLSession +{ public: SSLSessionID session_id; Ptr<IOBufferData> asn1_data; /* this is the ASN1 representation of the SSL_CTX */ size_t len_asn1_data; SSLSession(const SSLSessionID &id, Ptr<IOBufferData> ssl_asn1_data, size_t len_asn1) - : session_id(id), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1) - { } + : session_id(id), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1) + { + } - LINK(SSLSession, link); + LINK(SSLSession, link); }; -class SSLSessionBucket { +class SSLSessionBucket +{ public: SSLSessionBucket(); ~SSLSessionBucket(); @@ -131,17 +142,18 @@ private: CountQueue<SSLSession> queue; }; -class SSLSessionCache { +class SSLSessionCache +{ public: - bool getSession(const SSLSessionID &sid, SSL_SESSION **sess) const; - void insertSession(const SSLSessionID &sid, SSL_SESSION *sess); - void removeSession(const SSLSessionID &sid); + bool getSession(const SSLSessionID &sid, SSL_SESSION **sess) const; + void insertSession(const SSLSessionID &sid, SSL_SESSION *sess); + void removeSession(const SSLSessionID &sid); SSLSessionCache(); ~SSLSessionCache(); - private: - SSLSessionBucket *session_bucket; - size_t nbuckets; +private: + SSLSessionBucket *session_bucket; + size_t nbuckets; }; #endif /* __SSLSESSIONCACHE_H__ */
