This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new da07dd7b4a Reduce dup code (#11645)
da07dd7b4a is described below

commit da07dd7b4aaf08948b57cb477a175eb71b043710
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Mon Aug 5 17:20:04 2024 -0600

    Reduce dup code (#11645)
---
 include/iocore/net/SSLTypes.h      | 13 ++++++++++
 include/iocore/net/TLSSNISupport.h | 21 ++++++++++-----
 src/iocore/net/SSLUtils.cc         | 52 +++++++++-----------------------------
 src/iocore/net/TLSSNISupport.cc    | 26 +++++++++----------
 4 files changed, 53 insertions(+), 59 deletions(-)

diff --git a/include/iocore/net/SSLTypes.h b/include/iocore/net/SSLTypes.h
index 9c42eb7f94..5ad26f91fc 100644
--- a/include/iocore/net/SSLTypes.h
+++ b/include/iocore/net/SSLTypes.h
@@ -25,6 +25,7 @@
 
 #include <openssl/ssl.h>
 #include <memory>
+#include "tscore/ink_config.h"
 
 enum class SNIRoutingType {
   NONE = 0,
@@ -47,6 +48,18 @@ using ssl_curve_id = int;
 using ssl_curve_id = uint16_t;
 #endif
 
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+using ClientHelloContainer         = SSL *;
+constexpr int CLIENT_HELLO_ERROR   = SSL_CLIENT_HELLO_ERROR;
+constexpr int CLIENT_HELLO_RETRY   = SSL_CLIENT_HELLO_RETRY;
+constexpr int CLIENT_HELLO_SUCCESS = SSL_CLIENT_HELLO_SUCCESS;
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+using ClientHelloContainer                              = const 
SSL_CLIENT_HELLO *;
+constexpr ssl_select_cert_result_t CLIENT_HELLO_ERROR   = 
ssl_select_cert_error;
+constexpr ssl_select_cert_result_t CLIENT_HELLO_RETRY   = 
ssl_select_cert_retry;
+constexpr ssl_select_cert_result_t CLIENT_HELLO_SUCCESS = 
ssl_select_cert_success;
+#endif
+
 struct SSLMultiCertConfigParams;
 
 using shared_SSLMultiCertConfigParams = 
std::shared_ptr<SSLMultiCertConfigParams>;
diff --git a/include/iocore/net/TLSSNISupport.h 
b/include/iocore/net/TLSSNISupport.h
index 5bc9b652a5..2f1277667d 100644
--- a/include/iocore/net/TLSSNISupport.h
+++ b/include/iocore/net/TLSSNISupport.h
@@ -23,8 +23,8 @@
  */
 #pragma once
 
-#include "tscore/ink_config.h"
 #include "tscore/ink_memory.h"
+#include "SSLTypes.h"
 
 #include <netinet/in.h>
 #include <openssl/ssl.h>
@@ -36,6 +36,19 @@
 class TLSSNISupport
 {
 public:
+  class ClientHello
+  {
+  public:
+    ClientHello(ClientHelloContainer chc) : _chc(chc) {}
+    /**
+     * @return 1 if successful
+     */
+    int getExtension(int type, const uint8_t **out, size_t *outlen);
+
+  private:
+    ClientHelloContainer _chc;
+  };
+
   virtual ~TLSSNISupport() = default;
 
   static void           initialize();
@@ -45,11 +58,7 @@ public:
 
   int perform_sni_action(SSL &ssl);
   // Callback functions for OpenSSL libraries
-#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
-  void on_client_hello(SSL *ssl, int *al, void *arg);
-#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
-  void on_client_hello(const SSL_CLIENT_HELLO *client_hello);
-#endif
+  void on_client_hello(ClientHello &client_hello);
   void on_servername(SSL *ssl, int *al, void *arg);
 
   const char *get_sni_server_name() const;
diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index 6ca3cc23cb..a1ab18a5f4 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc
@@ -302,75 +302,47 @@ ssl_verify_client_callback(int preverify_ok, 
X509_STORE_CTX *ctx)
 #if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
 // Pausable callback
 static int
-ssl_client_hello_callback(SSL *s, int *al, void *arg)
+ssl_client_hello_callback(SSL *s, int * /* al ATS_UNUSED */, void * /* arg 
ATS_UNUSED */)
 {
-  TLSSNISupport *snis = TLSSNISupport::getInstance(s);
-  if (snis) {
-    snis->on_client_hello(s, al, arg);
-    int ret = snis->perform_sni_action(*s);
-    if (ret != SSL_TLSEXT_ERR_OK) {
-      return SSL_CLIENT_HELLO_ERROR;
-    }
-  } else {
-    // This error suggests either of these:
-    // 1) Call back on unsupported netvc -- Don't register callback 
unnecessarily
-    // 2) Call back on stale netvc
-    Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback was called 
unexpectedly");
-    return SSL_CLIENT_HELLO_ERROR;
-  }
-
-  SSLNetVConnection *netvc = dynamic_cast<SSLNetVConnection *>(snis);
-  if (netvc) {
-    if (netvc->ssl != s) {
-      Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback call back on stale 
netvc");
-      return SSL_CLIENT_HELLO_ERROR;
-    }
-
-    bool reenabled = netvc->callHooks(TS_EVENT_SSL_CLIENT_HELLO);
-    if (!reenabled) {
-      return SSL_CLIENT_HELLO_RETRY;
-    }
-  }
-
-  return SSL_CLIENT_HELLO_SUCCESS;
-}
+  TLSSNISupport::ClientHello ch = {s};
 #elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
 static ssl_select_cert_result_t
 ssl_client_hello_callback(const SSL_CLIENT_HELLO *client_hello)
 {
-  SSL           *s    = client_hello->ssl;
-  TLSSNISupport *snis = TLSSNISupport::getInstance(s);
+  SSL                       *s  = client_hello->ssl;
+  TLSSNISupport::ClientHello ch = {client_hello};
+#endif
 
+  TLSSNISupport *snis = TLSSNISupport::getInstance(s);
   if (snis) {
-    snis->on_client_hello(client_hello);
+    snis->on_client_hello(ch);
     int ret = snis->perform_sni_action(*s);
     if (ret != SSL_TLSEXT_ERR_OK) {
-      return ssl_select_cert_error;
+      return CLIENT_HELLO_ERROR;
     }
   } else {
     // This error suggests either of these:
     // 1) Call back on unsupported netvc -- Don't register callback 
unnecessarily
     // 2) Call back on stale netvc
     Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback was called 
unexpectedly");
-    return ssl_select_cert_error;
+    return CLIENT_HELLO_ERROR;
   }
 
   SSLNetVConnection *netvc = dynamic_cast<SSLNetVConnection *>(snis);
   if (netvc) {
     if (netvc->ssl != s) {
       Dbg(dbg_ctl_ssl_error, "ssl_client_hello_callback call back on stale 
netvc");
-      return ssl_select_cert_error;
+      return CLIENT_HELLO_ERROR;
     }
 
     bool reenabled = netvc->callHooks(TS_EVENT_SSL_CLIENT_HELLO);
     if (!reenabled) {
-      return ssl_select_cert_retry;
+      return CLIENT_HELLO_RETRY;
     }
   }
 
-  return ssl_select_cert_success;
+  return CLIENT_HELLO_SUCCESS;
 }
-#endif
 
 /**
  * Called before either the server or the client certificate is used
diff --git a/src/iocore/net/TLSSNISupport.cc b/src/iocore/net/TLSSNISupport.cc
index 3608a655af..090ad9d00d 100644
--- a/src/iocore/net/TLSSNISupport.cc
+++ b/src/iocore/net/TLSSNISupport.cc
@@ -24,6 +24,7 @@
 #include "iocore/net/SSLSNIConfig.h"
 #include "iocore/net/TLSSNISupport.h"
 #include "tscore/ink_assert.h"
+#include "tscore/ink_config.h"
 #include "tscore/ink_inet.h"
 #include "tscore/Diags.h"
 
@@ -87,24 +88,14 @@ TLSSNISupport::perform_sni_action(SSL &ssl)
   return SSL_TLSEXT_ERR_OK;
 }
 
-#if TS_USE_HELLO_CB
 void
-#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
-TLSSNISupport::on_client_hello(SSL *ssl, int * /* al ATS_UNUSED */, void * /* 
arg ATS_UNUSED */)
-#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
-TLSSNISupport::on_client_hello(const SSL_CLIENT_HELLO *client_hello)
-#endif
+TLSSNISupport::on_client_hello(ClientHello &client_hello)
 {
   const char          *servername = nullptr;
   const unsigned char *p;
   size_t               remaining, len;
   // Parse the server name if the get extension call succeeds and there are 
more than 2 bytes to parse
-#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
-  if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) 
&& remaining > 2)
-#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
-  if (SSL_early_callback_ctx_extension_get(client_hello, 
TLSEXT_TYPE_server_name, &p, &remaining) && remaining > 2)
-#endif
-  {
+  if (client_hello.getExtension(TLSEXT_TYPE_server_name, &p, &remaining) && 
remaining > 2) {
     // Parse to get to the name, originally from test/handshake_helper.c in 
openssl tree
     /* Extract the length of the supplied list of names. */
     len  = *(p++) << 8;
@@ -132,7 +123,6 @@ TLSSNISupport::on_client_hello(const SSL_CLIENT_HELLO 
*client_hello)
     this->_set_sni_server_name(std::string_view(servername, len));
   }
 }
-#endif
 
 void
 TLSSNISupport::on_servername(SSL *ssl, int * /* al ATS_UNUSED */, void * /* 
arg ATS_UNUSED */)
@@ -186,3 +176,13 @@ TLSSNISupport::would_have_actions_for(const char 
*servername, IpEndpoint remote,
   }
   return retval;
 }
+
+int
+TLSSNISupport::ClientHello::getExtension(int type, const uint8_t **out, size_t 
*outlen)
+{
+#if HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
+  return SSL_client_hello_get0_ext(this->_chc, type, out, outlen);
+#elif HAVE_SSL_CTX_SET_SELECT_CERTIFICATE_CB
+  return SSL_early_callback_ctx_extension_get(this->_chc, type, out, outlen);
+#endif
+}

Reply via email to