From: Christos Tsantilas Date: Tue, 24 Jan 2012 10:03:18 +0000 (+0200) Subject: Use CbDataList to implement Ssl::Errors list X-Git-Tag: BumpSslServerFirst.take04~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4fb72cb;p=thirdparty%2Fsquid.git Use CbDataList to implement Ssl::Errors list Convert type of Ssl::Errors from std::vector to CbDataList --- diff --git a/include/CbDataList.h b/include/CbDataList.h index f11105b80c..cdb6e2bfda 100644 --- a/include/CbDataList.h +++ b/include/CbDataList.h @@ -44,6 +44,7 @@ public: CbDataList (C const &); ~CbDataList(); + bool push_back_unique(C const &); bool find(C const &)const; bool findAndTune(C const &); CbDataList *next; @@ -125,6 +126,20 @@ CbDataList::~CbDataList() delete next; } +template +bool +CbDataList::push_back_unique(C const &toAdd) +{ + CbDataList *last; + for (last = this; last->next; last = last->next) { + if (last->element == toAdd) + return false; + } + + last->next = new CbDataList (toAdd); + return true; +} + template bool CbDataList::find (C const &toFind) const diff --git a/src/AclRegs.cc b/src/AclRegs.cc index 6a03e6baaa..f8d314f13e 100644 --- a/src/AclRegs.cc +++ b/src/AclRegs.cc @@ -137,7 +137,7 @@ ACLStrategised ACLUrlPort::RegistryEntry_(new ACLIntRange, ACLUrlPortStrate #if USE_SSL ACL::Prototype ACLSslError::RegistryProtoype(&ACLSslError::RegistryEntry_, "ssl_error"); -ACLStrategised ACLSslError::RegistryEntry_(new ACLSslErrorData, ACLSslErrorStrategy::Instance(), "ssl_error"); +ACLStrategised ACLSslError::RegistryEntry_(new ACLSslErrorData, ACLSslErrorStrategy::Instance(), "ssl_error"); ACL::Prototype ACLCertificate::UserRegistryProtoype(&ACLCertificate::UserRegistryEntry_, "user_cert"); ACLStrategised ACLCertificate::UserRegistryEntry_(new ACLCertificateData (sslGetUserAttribute), ACLCertificateStrategy::Instance(), "user_cert"); ACL::Prototype ACLCertificate::CARegistryProtoype(&ACLCertificate::CARegistryEntry_, "ca_cert"); diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc index 084bcf749b..e2ccb7af36 100644 --- a/src/acl/FilledChecklist.cc +++ b/src/acl/FilledChecklist.cc @@ -63,6 +63,7 @@ ACLFilledChecklist::ACLFilledChecklist() : #if SQUID_SNMP snmp_community(NULL), #endif + sslErrorList(NULL), extacl_entry (NULL), conn_(NULL), fd_(-1), @@ -91,6 +92,8 @@ ACLFilledChecklist::~ACLFilledChecklist() cbdataReferenceDone(conn_); + cbdataReferenceDone(sslErrorList); + debugs(28, 4, HERE << "ACLFilledChecklist destroyed " << this); } @@ -172,6 +175,7 @@ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_re #if SQUID_SNMP snmp_community(NULL), #endif + sslErrorList(NULL), extacl_entry (NULL), conn_(NULL), fd_(-1), diff --git a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h index 3ec833128b..c86281d6c4 100644 --- a/src/acl/FilledChecklist.h +++ b/src/acl/FilledChecklist.h @@ -66,7 +66,7 @@ public: #endif #if USE_SSL - Ssl::Errors sslErrorList; + Ssl::Errors *sslErrorList; #endif ExternalACLEntry *extacl_entry; diff --git a/src/acl/SslError.h b/src/acl/SslError.h index 0fff38076b..8a357c23ff 100644 --- a/src/acl/SslError.h +++ b/src/acl/SslError.h @@ -9,7 +9,7 @@ #include "acl/Strategised.h" #include "ssl/support.h" -class ACLSslErrorStrategy : public ACLStrategy +class ACLSslErrorStrategy : public ACLStrategy { public: @@ -32,7 +32,7 @@ class ACLSslError private: static ACL::Prototype RegistryProtoype; - static ACLStrategised RegistryEntry_; + static ACLStrategised RegistryEntry_; }; #endif /* SQUID_ACLSSL_ERROR_H */ diff --git a/src/acl/SslErrorData.cc b/src/acl/SslErrorData.cc index ad2a0043f7..0abeb2daa2 100644 --- a/src/acl/SslErrorData.cc +++ b/src/acl/SslErrorData.cc @@ -22,11 +22,11 @@ ACLSslErrorData::~ACLSslErrorData() } bool -ACLSslErrorData::match(Ssl::Errors const &toFind) +ACLSslErrorData::match(const Ssl::Errors *toFind) { - typedef std::vector::const_iterator SEsI; - for (SEsI it = toFind.begin() ; it != toFind.end(); it++ ) { - if (values->findAndTune (*it)) + const Ssl::Errors * err; + for (err = toFind ; err != NULL; err = err->next ) { + if (values->findAndTune (err->element)) return true; } return false; @@ -35,14 +35,14 @@ ACLSslErrorData::match(Ssl::Errors const &toFind) /* explicit instantiation required for some systems */ /** \cond AUTODOCS-IGNORE */ // AYJ: 2009-05-20 : Removing. clashes with template instantiation for other ACLs. -// template cbdata_type CbDataList::CBDATA_CbDataList; +// template cbdata_type Ssl::Errors::CBDATA_CbDataList; /** \endcond */ wordlist * ACLSslErrorData::dump() { wordlist *W = NULL; - CbDataList *data = values; + Ssl::Errors *data = values; while (data != NULL) { wordlistAdd(&W, Ssl::GetErrorName(data->element)); @@ -55,12 +55,12 @@ ACLSslErrorData::dump() void ACLSslErrorData::parse() { - CbDataList **Tail; + Ssl::Errors **Tail; char *t = NULL; for (Tail = &values; *Tail; Tail = &((*Tail)->next)); while ((t = strtokFile())) { - CbDataList *q = new CbDataList(Ssl::ParseErrorString(t)); + Ssl::Errors *q = new Ssl::Errors(Ssl::ParseErrorString(t)); *(Tail) = q; Tail = &q->next; } diff --git a/src/acl/SslErrorData.h b/src/acl/SslErrorData.h index 0673049d3a..f886f0c2e7 100644 --- a/src/acl/SslErrorData.h +++ b/src/acl/SslErrorData.h @@ -12,7 +12,7 @@ #include "ssl/ErrorDetail.h" #include -class ACLSslErrorData : public ACLData +class ACLSslErrorData : public ACLData { public: @@ -22,13 +22,13 @@ public: ACLSslErrorData(ACLSslErrorData const &); ACLSslErrorData &operator= (ACLSslErrorData const &); virtual ~ACLSslErrorData(); - bool match(Ssl::Errors const &); + bool match(const Ssl::Errors *); wordlist *dump(); void parse(); bool empty() const; virtual ACLSslErrorData *clone() const; - CbDataList *values; + Ssl::Errors *values; }; MEMPROXY_CLASS_INLINE(ACLSslErrorData); diff --git a/src/client_side.cc b/src/client_side.cc index 35f33e3bfc..99355d28c7 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -816,6 +816,8 @@ ConnStateData::~ConnStateData() if (bumpErrorEntry) bumpErrorEntry->unlock(); #endif + + cbdataReferenceDone(bumpSslErrorNoList); } /** @@ -3649,7 +3651,7 @@ void ConnStateData::buildSslCertAdaptParams(Ssl::CrtdMessage::BodyParams &certAd checklist.conn(this); checklist.src_addr = clientConnection->remote; checklist.my_addr = clientConnection->local; - checklist.sslErrorList = bumpSslErrorNoList; + checklist.sslErrorList = cbdataReference(bumpSslErrorNoList); for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) { if (ca->aclList && checklist.fastCheck(ca->aclList) == ACCESS_ALLOWED) { diff --git a/src/client_side.h b/src/client_side.h index b0d4591dad..589d818a0b 100644 --- a/src/client_side.h +++ b/src/client_side.h @@ -335,7 +335,7 @@ public: StoreEntry *bumpServerFirstErrorEntry() const {return bumpErrorEntry;} void setBumpServerCert(X509 *serverCert) {bumpServerCert.reset(serverCert);} X509 *getBumpServerCert() {return bumpServerCert.get();} - void setBumpSslErrorList(Ssl::Errors &errNoList) {bumpSslErrorNoList = errNoList;} + void setBumpSslErrorList(Ssl::Errors *errNoList) {bumpSslErrorNoList = cbdataReference(errNoList);} /// Fill the certAdaptParams with the required data for certificate adaptation /// and create the key for storing/retrieve the certificate to/from the cache void buildSslCertAdaptParams(Ssl::CrtdMessage::BodyParams &certAdaptParams); @@ -373,7 +373,7 @@ private: CbcPointer httpsPeeker; StoreEntry *bumpErrorEntry; Ssl::X509_Pointer bumpServerCert; - Ssl::Errors bumpSslErrorNoList; ///< The list of SSL certificate errors which ignored + Ssl::Errors *bumpSslErrorNoList; ///< The list of SSL certificate errors which ignored #endif AsyncCall::Pointer reader; ///< set when we are reading diff --git a/src/forward.cc b/src/forward.cc index d372803a03..b01c209433 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -671,7 +671,7 @@ FwdState::negotiateSSL(int fd) // if there is a list of ssl errors, pass it to connection manager if (Ssl::Errors *errNoList = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno))) - request->clientConnectionManager->setBumpSslErrorList(*errNoList); + request->clientConnectionManager->setBumpSslErrorList(errNoList); } HttpRequest *fakeRequest = NULL; @@ -704,7 +704,7 @@ FwdState::negotiateSSL(int fd) if (request->clientConnectionManager.valid()) { request->clientConnectionManager->setBumpServerCert(SSL_get_peer_certificate(ssl)); if (Ssl::Errors *errNoList = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno))) - request->clientConnectionManager->setBumpSslErrorList(*errNoList); + request->clientConnectionManager->setBumpSslErrorList(errNoList); } if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) { diff --git a/src/ssl/certificate_db.h b/src/ssl/certificate_db.h index 1d247c9cc9..05841b6f26 100644 --- a/src/ssl/certificate_db.h +++ b/src/ssl/certificate_db.h @@ -6,7 +6,6 @@ #define SQUID_SSL_CERTIFICATE_DB_H #include "ssl/gadgets.h" -#include "ssl/support.h" #if HAVE_STRING #include #endif diff --git a/src/ssl/support.cc b/src/ssl/support.cc index f50b9fb0bd..c6e7f8d589 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -248,16 +248,15 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) if (!ok) { Ssl::Errors *errNoList = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno)); if (!errNoList) { - errNoList = new Ssl::Errors; + errNoList = new Ssl::Errors(error_no); if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno, (void *)errNoList)) { debugs(83, 2, "Failed to set ssl error_no in ssl_verify_cb: Certificate " << buffer); delete errNoList; errNoList = NULL; } } - - if (errNoList) // Append the err no to the SSL errors lists. - errNoList->push_back(error_no); + else // Append the err no to the SSL errors lists. + errNoList->push_back_unique(error_no); if (const char *err_descr = Ssl::GetErrorDescr(error_no)) debugs(83, 5, err_descr << ": " << buffer); @@ -266,14 +265,17 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) if (check) { ACLFilledChecklist *filledCheck = Filled(check); - filledCheck->sslErrorList.clear(); - filledCheck->sslErrorList.push_back(error_no); + assert(filledCheck->sslErrorList == NULL); + filledCheck->sslErrorList = new Ssl::Errors(error_no); if (check->fastCheck() == ACCESS_ALLOWED) { debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer); ok = 1; } else { debugs(83, 5, "confirming SSL error " << error_no); } + // Delete the ssl error list + delete filledCheck->sslErrorList; + filledCheck->sslErrorList = NULL; } } diff --git a/src/ssl/support.h b/src/ssl/support.h index 4e36848548..0ba49c1376 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -35,6 +35,7 @@ #ifndef SQUID_SSL_SUPPORT_H #define SQUID_SSL_SUPPORT_H +#include "CbDataList.h" #include "ssl/gadgets.h" #if HAVE_OPENSSL_SSL_H @@ -68,9 +69,8 @@ namespace Ssl /// Squid defined error code (<0), an error code returned by SSL X509 api, or SSL_ERROR_NONE typedef int ssl_error_t; -/// \ingroup ServerProtocolSSLAPI -/// SSL error codes in the order they were encountered -typedef std::vector Errors; +typedef CbDataList Errors; + } //namespace Ssl /// \ingroup ServerProtocolSSLAPI