From: Amos Jeffries Date: Thu, 23 Jun 2016 02:07:23 +0000 (+1200) Subject: Wipe initial experiments X-Git-Tag: SQUID_4_0_13~39^2~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=014a9017c09bb4fafea7ccadd22fab7ff029c35c;p=thirdparty%2Fsquid.git Wipe initial experiments --- diff --git a/src/base/TidyPointer.h b/src/base/TidyPointer.h index 7d2e1e3ab1..50b21e2a09 100644 --- a/src/base/TidyPointer.h +++ b/src/base/TidyPointer.h @@ -29,7 +29,7 @@ public: T *get() const { return raw; } /// Reset raw pointer - delete last one and save new one. - virtual void reset(T *t) { + void reset(T *t) { deletePointer(); raw = t; } @@ -41,7 +41,7 @@ public: return ret; } /// Deallocate raw pointer. - virtual ~TidyPointer() { + ~TidyPointer() { deletePointer(); } private: diff --git a/src/client_side.cc b/src/client_side.cc index 1481ffdbc5..74ca44c855 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2896,9 +2896,9 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer // fake certificate adaptation requires bump-server-first mode if (!sslServerBump) { assert(port->signingCert.get()); - certProperties.signWithX509.reset(port->signingCert.get()); + certProperties.signWithX509.resetAndLock(port->signingCert.get()); if (port->signPkey.get()) - certProperties.signWithPkey.reset(port->signPkey.get()); + certProperties.signWithPkey.resetAndLock(port->signPkey.get()); certProperties.signAlgorithm = Ssl::algSignTrusted; return; } @@ -2910,7 +2910,7 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer assert(sslServerBump->entry); if (sslServerBump->entry->isEmpty()) { if (X509 *mimicCert = sslServerBump->serverCert.get()) - certProperties.mimicCert.reset(mimicCert); + certProperties.mimicCert.resetAndLock(mimicCert); ACLFilledChecklist checklist(NULL, sslServerBump->request.getRaw(), clientConnection != NULL ? clientConnection->rfc931 : dash_str); @@ -2963,14 +2963,14 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer if (certProperties.signAlgorithm == Ssl::algSignUntrusted) { assert(port->untrustedSigningCert.get()); - certProperties.signWithX509.reset(port->untrustedSigningCert.get()); - certProperties.signWithPkey.reset(port->untrustedSignPkey.get()); + certProperties.signWithX509.resetAndLock(port->untrustedSigningCert.get()); + certProperties.signWithPkey.resetAndLock(port->untrustedSignPkey.get()); } else { assert(port->signingCert.get()); - certProperties.signWithX509.reset(port->signingCert.get()); + certProperties.signWithX509.resetAndLock(port->signingCert.get()); if (port->signPkey.get()) - certProperties.signWithPkey.reset(port->signPkey.get()); + certProperties.signWithPkey.resetAndLock(port->signPkey.get()); } signAlgorithm = certProperties.signAlgorithm; diff --git a/src/security/LockingPointer.h b/src/security/LockingPointer.h index 48de7f7282..837012f356 100644 --- a/src/security/LockingPointer.h +++ b/src/security/LockingPointer.h @@ -12,7 +12,6 @@ #include "base/TidyPointer.h" #if USE_OPENSSL - #if HAVE_OPENSSL_CRYPTO_H #include #endif @@ -25,11 +24,6 @@ sk_object ## _pop_free(a, freefunction); \ } -#else // !USE_OPENSSL - -#include "base/Lock.h" -#include - #endif // Macro to be used to define the C++ equivalent function of an extern "C" @@ -52,61 +46,41 @@ public: typedef TidyPointer Parent; typedef LockingPointer SelfType; - explicit LockingPointer(T *t = nullptr): Parent() {reset(t);} - - virtual ~LockingPointer() { Parent::reset(nullptr); } + explicit LockingPointer(T *t = nullptr): Parent(t) {} explicit LockingPointer(const SelfType &o): Parent() { - reset(o.get()); + resetAndLock(o.get()); } SelfType &operator =(const SelfType & o) { - reset(o.get()); + resetAndLock(o.get()); return *this; } - explicit LockingPointer(LockingPointer &&o): Parent(o.release()) {} +#if __cplusplus >= 201103L + explicit LockingPointer(LockingPointer &&o): Parent(o.release()) { + } LockingPointer &operator =(LockingPointer &&o) { if (o.get() != this->get()) this->reset(o.release()); return *this; } - - virtual void reset(T *t) { - if (t == this->get()) - return; - -#if !USE_OPENSSL - // OpenSSL maintains the reference locks through calls to Deallocator - // our manual locking does not have that luxury - if (this->get()) { - if (SelfType::Locks().at(this->get()).unlock()) - SelfType::Locks().erase(this->get()); - } #endif - Parent::reset(t); - if (t) { + void resetAndLock(T *t) { + if (t != this->get()) { + this->reset(t); #if USE_OPENSSL - CRYPTO_add(&t->references, 1, lock); + if (t) + CRYPTO_add(&t->references, 1, lock); +#elif USE_GNUTLS + // XXX: GnuTLS does not provide locking ? #else - SelfType::Locks()[t].lock(); // find/create and lock + assert(false); #endif } } - -private: -#if !USE_OPENSSL - // since we can never be sure if a raw-* passed to us is already being - // lock counted by another LockingPointer<> and the types pointed to are - // defined by third-party libraries we have to maintain the locks in a - // type-specific static external to both the Pointer and base classes. - static std::unordered_map & Locks() { - static std::unordered_map Instance; - return Instance; - } -#endif }; } // namespace Security diff --git a/src/security/Makefile.am b/src/security/Makefile.am index 34cb761abe..debbb0740f 100644 --- a/src/security/Makefile.am +++ b/src/security/Makefile.am @@ -28,5 +28,4 @@ libsecurity_la_SOURCES= \ ServerOptions.cc \ ServerOptions.h \ Session.cc \ - Session.h \ - support.cc + Session.h diff --git a/src/security/forward.h b/src/security/forward.h index 382f2c9616..54d6b06fb3 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -43,7 +43,7 @@ typedef Security::LockingPointer CertPoin CtoCpp1(gnutls_x509_crt_deinit, gnutls_x509_crt_t) typedef Security::LockingPointer CertPointer; #else -typedef Security::LockingPointer CertPointer; +typedef void * CertPointer; #endif #if USE_OPENSSL @@ -53,7 +53,7 @@ typedef LockingPointer CrlPoi CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t) typedef Security::LockingPointer CrlPointer; #else -typedef Security::LockingPointer CrlPointer; +typedef void *CrlPointer; #endif typedef std::list CertRevokeList; @@ -62,7 +62,7 @@ typedef std::list CertRevokeList; CtoCpp1(DH_free, DH *); typedef Security::LockingPointer DhePointer; #else -typedef Security::LockingPointer DhePointer; +typedef void *DhePointer; #endif class KeyData; diff --git a/src/security/support.cc b/src/security/support.cc deleted file mode 100644 index 0e376d13c2..0000000000 --- a/src/security/support.cc +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (C) 1996-2016 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#include "squid.h" -#include "security/forward.h" - -#if !USE_OPENSSL - -namespace Security -{ - -#if USE_GNUTLS -template std::unordered_map & ContextPointer::Locks(); - -template std::unordered_map & CertPointer::Locks(); - -template std::unordered_map & CrlPointer::Locks(); -#endif - -template std::unordered_map & DhePointer::Locks(); - -} // namespace Security - -#endif /* !USE_OPENSSL */ - diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc index ec3ff47461..b6ce27ff92 100644 --- a/src/ssl/ErrorDetail.cc +++ b/src/ssl/ErrorDetail.cc @@ -628,12 +628,12 @@ const String &Ssl::ErrorDetail::toString() const Ssl::ErrorDetail::ErrorDetail( Ssl::ssl_error_t err_no, X509 *cert, X509 *broken, const char *aReason): error_no (err_no), lib_error_no(SSL_ERROR_NONE), errReason(aReason) { if (cert) - peer_cert.reset(cert); + peer_cert.resetAndLock(cert); if (broken) - broken_cert.reset(broken); + broken_cert.resetAndLock(broken); else - broken_cert.reset(cert); + broken_cert.resetAndLock(cert); detailEntry.error_no = SSL_ERROR_NONE; } @@ -644,11 +644,11 @@ Ssl::ErrorDetail::ErrorDetail(Ssl::ErrorDetail const &anErrDetail) request = anErrDetail.request; if (anErrDetail.peer_cert.get()) { - peer_cert.reset(anErrDetail.peer_cert.get()); + peer_cert.resetAndLock(anErrDetail.peer_cert.get()); } if (anErrDetail.broken_cert.get()) { - broken_cert.reset(anErrDetail.broken_cert.get()); + broken_cert.resetAndLock(anErrDetail.broken_cert.get()); } detailEntry = anErrDetail.detailEntry; diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc index 77f27422d5..a2db2e16ff 100644 --- a/src/ssl/PeekingPeerConnector.cc +++ b/src/ssl/PeekingPeerConnector.cc @@ -229,7 +229,7 @@ Ssl::PeekingPeerConnector::noteNegotiationDone(ErrorState *error) if (!serverBump->serverCert.get()) { // remember the server certificate from the ErrorDetail object if (error && error->detail && error->detail->peerCert()) - serverBump->serverCert.reset(error->detail->peerCert()); + serverBump->serverCert.resetAndLock(error->detail->peerCert()); else { handleServerCertificate(); } @@ -350,7 +350,7 @@ Ssl::PeekingPeerConnector::serverCertificateVerified() if (ConnStateData *csd = request->clientConnectionManager.valid()) { Security::CertPointer serverCert; if(Ssl::ServerBump *serverBump = csd->serverBump()) - serverCert.reset(serverBump->serverCert.get()); + serverCert.resetAndLock(serverBump->serverCert.get()); else { const int fd = serverConnection()->fd; Security::SessionPtr ssl = fd_table[fd].ssl.get(); diff --git a/src/ssl/ServerBump.cc b/src/ssl/ServerBump.cc index 0dfe1c15d8..7d7f06ba89 100644 --- a/src/ssl/ServerBump.cc +++ b/src/ssl/ServerBump.cc @@ -57,7 +57,7 @@ Ssl::ServerBump::attachServerSSL(SSL *ssl) if (serverSSL.get()) return; - serverSSL.reset(ssl); + serverSSL.resetAndLock(ssl); } const Ssl::CertErrors * diff --git a/src/ssl/cert_validate_message.cc b/src/ssl/cert_validate_message.cc index 409283309f..7c2249ed61 100644 --- a/src/ssl/cert_validate_message.cc +++ b/src/ssl/cert_validate_message.cc @@ -216,7 +216,7 @@ Ssl::CertValidationResponse::RecvdError & Ssl::CertValidationResponse::RecvdErro void Ssl::CertValidationResponse::RecvdError::setCert(X509 *aCert) { - cert.reset(aCert); + cert.resetAndLock(aCert); } Ssl::CertValidationMsg::CertItem::CertItem(const CertItem &old) @@ -235,7 +235,7 @@ Ssl::CertValidationMsg::CertItem & Ssl::CertValidationMsg::CertItem::operator = void Ssl::CertValidationMsg::CertItem::setCert(X509 *aCert) { - cert.reset(aCert); + cert.resetAndLock(aCert); } const std::string Ssl::CertValidationMsg::code_cert_validate("cert_validate"); diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc index bc6dcb3c60..218167b3f5 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc @@ -424,7 +424,7 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Ssl: Ssl::EVP_PKEY_Pointer pkey; // Use signing certificates private key as generated certificate private key if (properties.signWithPkey.get()) - pkey.reset(properties.signWithPkey.get()); + pkey.resetAndLock(properties.signWithPkey.get()); else // if not exist generate one pkey.reset(Ssl::createSslPrivateKey()); diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 9a043e9b04..70be136bea 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -306,7 +306,7 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) ACLFilledChecklist *filledCheck = Filled(check); assert(!filledCheck->sslErrors); filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert)); - filledCheck->serverCert.reset(peer_cert); + filledCheck->serverCert.resetAndLock(peer_cert); if (check->fastCheck() == ACCESS_ALLOWED) { debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer); ok = 1; @@ -1301,8 +1301,8 @@ bool Ssl::generateUntrustedCert(Security::CertPointer &untrustedCert, EVP_PKEY_P // O, OU, and other CA subject fields will be mimicked // Expiration date and other common properties will be mimicked certProperties.signAlgorithm = Ssl::algSignSelf; - certProperties.signWithPkey.reset(pkey.get()); - certProperties.mimicCert.reset(cert.get()); + certProperties.signWithPkey.resetAndLock(pkey.get()); + certProperties.mimicCert.resetAndLock(cert.get()); return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties); } @@ -1354,19 +1354,19 @@ Ssl::CreateServer(Security::ContextPtr sslContext, const int fd, const char *squ Ssl::CertError::CertError(ssl_error_t anErr, X509 *aCert, int aDepth): code(anErr), depth(aDepth) { - cert.reset(aCert); + cert.resetAndLock(aCert); } Ssl::CertError::CertError(CertError const &err): code(err.code), depth(err.depth) { - cert.reset(err.cert.get()); + cert.resetAndLock(err.cert.get()); } Ssl::CertError & Ssl::CertError::operator = (const CertError &old) { code = old.code; - cert.reset(old.cert.get()); + cert.resetAndLock(old.cert.get()); return *this; }