This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new da07dd7b4a Reduce dup code (#11645)
da07dd7b4a is described below
commit da07dd7b4aaf08948b57cb477a175eb71b043710
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Mon Aug 5 17:20:04 2024 -0600
Reduce dup code (#11645)
---
include/iocore/net/SSLTypes.h | 13 ++++++++++
include/iocore/net/TLSSNISupport.h | 21 ++++++++++-----
src/iocore/net/SSLUtils.cc | 52 +++++++++-----------------------------
src/iocore/net/TLSSNISupport.cc | 26 +++++++++----------
4 files changed, 53 insertions(+), 59 deletions(-)
diff --git a/include/iocore/net/SSLTypes.h b/include/iocore/net/SSLTypes.h
index 9c42eb7f94..5ad26f91fc 100644
--- a/include/iocore/net/SSLTypes.h
+++ b/include/iocore/net/SSLTypes.h
@@ -25,6 +25,7 @@
#include <openssl/ssl.h>
#include <memory>
+#include "tscore/ink_config.h"
enum class SNIRoutingType {
NONE = 0,
@@ -47,6 +48,18 @@ using ssl_curve_id = int;
using ssl_curve_id = uint16_t;
#endif
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+using ClientHelloContainer = SSL *;
+constexpr int CLIENT_HELLO_ERROR = SSL_CLIENT_HELLO_ERROR;
+constexpr int CLIENT_HELLO_RETRY = SSL_CLIENT_HELLO_RETRY;
+constexpr int CLIENT_HELLO_SUCCESS = SSL_CLIENT_HELLO_SUCCESS;
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+using ClientHelloContainer = const
SSL_CLIENT_HELLO *;
+constexpr ssl_select_cert_result_t CLIENT_HELLO_ERROR =
ssl_select_cert_error;
+constexpr ssl_select_cert_result_t CLIENT_HELLO_RETRY =
ssl_select_cert_retry;
+constexpr ssl_select_cert_result_t CLIENT_HELLO_SUCCESS =
ssl_select_cert_success;
+#endif
+
struct SSLMultiCertConfigParams;
using shared_SSLMultiCertConfigParams =
std::shared_ptr<SSLMultiCertConfigParams>;
diff --git a/include/iocore/net/TLSSNISupport.h
b/include/iocore/net/TLSSNISupport.h
index 5bc9b652a5..2f1277667d 100644
--- a/include/iocore/net/TLSSNISupport.h
+++ b/include/iocore/net/TLSSNISupport.h
@@ -23,8 +23,8 @@
*/
#pragma once
-#include "tscore/ink_config.h"
#include "tscore/ink_memory.h"
+#include "SSLTypes.h"
#include <netinet/in.h>
#include <openssl/ssl.h>
@@ -36,6 +36,19 @@
class TLSSNISupport
{
public:
+ class ClientHello
+ {
+ public:
+ ClientHello(ClientHelloContainer chc) : _chc(chc) {}
+ /**
+ * @return 1 if successful
+ */
+ int getExtension(int type, const uint8_t **out, size_t *outlen);
+
+ private:
+ ClientHelloContainer _chc;
+ };
+
virtual ~TLSSNISupport() = default;
static void initialize();
@@ -45,11 +58,7 @@ public:
int perform_sni_action(SSL &ssl);
// Callback functions for OpenSSL libraries
-#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
- void on_client_hello(SSL *ssl, int *al, void *arg);
-#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
- void on_client_hello(const SSL_CLIENT_HELLO *client_hello);
-#endif
+ void on_client_hello(ClientHello &client_hello);
void on_servername(SSL *ssl, int *al, void *arg);
const char *get_sni_server_name() const;
diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index 6ca3cc23cb..a1ab18a5f4 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc
@@ -302,75 +302,47 @@ ssl_verify_client_callback(int preverify_ok,
X509_STORE_CTX *ctx)
#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
// Pausable callback
static int
-ssl_client_hello_callback(SSL *s, int *al, void *arg)
+ssl_client_hello_callback(SSL *s, int * /* al ATS_UNUSED */, void * /* arg
ATS_UNUSED */)
{
- TLSSNISupport *snis = TLSSNISupport::getInstance(s);
- if (snis) {
- snis->on_client_hello(s, al, arg);
- int ret = snis->perform_sni_action(*s);
- if (ret != SSL_TLSEXT_ERR_OK) {
- return SSL_CLIENT_HELLO_ERROR;
- }
- } else {
- // This error suggests either of these:
- // 1) Call back on unsupported netvc -- Don't register callback
unnecessarily
- // 2) Call back on stale netvc
- Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback was called
unexpectedly");
- return SSL_CLIENT_HELLO_ERROR;
- }
-
- SSLNetVConnection *netvc = dynamic_cast<SSLNetVConnection *>(snis);
- if (netvc) {
- if (netvc->ssl != s) {
- Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback call back on stale
netvc");
- return SSL_CLIENT_HELLO_ERROR;
- }
-
- bool reenabled = netvc->callHooks(TS_EVENT_SSL_CLIENT_HELLO);
- if (!reenabled) {
- return SSL_CLIENT_HELLO_RETRY;
- }
- }
-
- return SSL_CLIENT_HELLO_SUCCESS;
-}
+ TLSSNISupport::ClientHello ch = {s};
#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
static ssl_select_cert_result_t
ssl_client_hello_callback(const SSL_CLIENT_HELLO *client_hello)
{
- SSL *s = client_hello->ssl;
- TLSSNISupport *snis = TLSSNISupport::getInstance(s);
+ SSL *s = client_hello->ssl;
+ TLSSNISupport::ClientHello ch = {client_hello};
+#endif
+ TLSSNISupport *snis = TLSSNISupport::getInstance(s);
if (snis) {
- snis->on_client_hello(client_hello);
+ snis->on_client_hello(ch);
int ret = snis->perform_sni_action(*s);
if (ret != SSL_TLSEXT_ERR_OK) {
- return ssl_select_cert_error;
+ return CLIENT_HELLO_ERROR;
}
} else {
// This error suggests either of these:
// 1) Call back on unsupported netvc -- Don't register callback
unnecessarily
// 2) Call back on stale netvc
Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback was called
unexpectedly");
- return ssl_select_cert_error;
+ return CLIENT_HELLO_ERROR;
}
SSLNetVConnection *netvc = dynamic_cast<SSLNetVConnection *>(snis);
if (netvc) {
if (netvc->ssl != s) {
Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback call back on stale
netvc");
- return ssl_select_cert_error;
+ return CLIENT_HELLO_ERROR;
}
bool reenabled = netvc->callHooks(TS_EVENT_SSL_CLIENT_HELLO);
if (!reenabled) {
- return ssl_select_cert_retry;
+ return CLIENT_HELLO_RETRY;
}
}
- return ssl_select_cert_success;
+ return CLIENT_HELLO_SUCCESS;
}
-#endif
/**
* Called before either the server or the client certificate is used
diff --git a/src/iocore/net/TLSSNISupport.cc b/src/iocore/net/TLSSNISupport.cc
index 3608a655af..090ad9d00d 100644
--- a/src/iocore/net/TLSSNISupport.cc
+++ b/src/iocore/net/TLSSNISupport.cc
@@ -24,6 +24,7 @@
#include "iocore/net/SSLSNIConfig.h"
#include "iocore/net/TLSSNISupport.h"
#include "tscore/ink_assert.h"
+#include "tscore/ink_config.h"
#include "tscore/ink_inet.h"
#include "tscore/Diags.h"
@@ -87,24 +88,14 @@ TLSSNISupport::perform_sni_action(SSL &ssl)
return SSL_TLSEXT_ERR_OK;
}
-#if TS_USE_HELLO_CB
void
-#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
-TLSSNISupport::on_client_hello(SSL *ssl, int * /* al ATS_UNUSED */, void * /*
arg ATS_UNUSED */)
-#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
-TLSSNISupport::on_client_hello(const SSL_CLIENT_HELLO *client_hello)
-#endif
+TLSSNISupport::on_client_hello(ClientHello &client_hello)
{
const char *servername = nullptr;
const unsigned char *p;
size_t remaining, len;
// Parse the server name if the get extension call succeeds and there are
more than 2 bytes to parse
-#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
- if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining)
&& remaining > 2)
-#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
- if (SSL_early_callback_ctx_extension_get(client_hello,
TLSEXT_TYPE_server_name, &p, &remaining) && remaining > 2)
-#endif
- {
+ if (client_hello.getExtension(TLSEXT_TYPE_server_name, &p, &remaining) &&
remaining > 2) {
// Parse to get to the name, originally from test/handshake_helper.c in
openssl tree
/* Extract the length of the supplied list of names. */
len = *(p++) << 8;
@@ -132,7 +123,6 @@ TLSSNISupport::on_client_hello(const SSL_CLIENT_HELLO
*client_hello)
this->_set_sni_server_name(std::string_view(servername, len));
}
}
-#endif
void
TLSSNISupport::on_servername(SSL *ssl, int * /* al ATS_UNUSED */, void * /*
arg ATS_UNUSED */)
@@ -186,3 +176,13 @@ TLSSNISupport::would_have_actions_for(const char
*servername, IpEndpoint remote,
}
return retval;
}
+
+int
+TLSSNISupport::ClientHello::getExtension(int type, const uint8_t **out, size_t
*outlen)
+{
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+ return SSL_client_hello_get0_ext(this->_chc, type, out, outlen);
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+ return SSL_early_callback_ctx_extension_get(this->_chc, type, out, outlen);
+#endif
+}
