From: Amos Jeffries Date: Sun, 11 Sep 2016 14:59:06 +0000 (+1200) Subject: Move Ssl::Errors to libsecurity X-Git-Tag: SQUID_4_0_15~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83f8d8f97118e1cae98c2c434e6643e04d1be113;p=thirdparty%2Fsquid.git Move Ssl::Errors to libsecurity Convert to an STL set instead of CBDATA list: * The list is not passed as a callback parameter, so CBDATA overheads are unnecessary. * STL set has built-in unique entry protection, so special push_back_unique handling is not required. Just emplace() entries. * STL unorderd_set is used for fast lookup property. This should operate faster on medium or larger sized ACL lists than CbDataList type could. --- diff --git a/src/acl/SslErrorData.cc b/src/acl/SslErrorData.cc index 5b1ed2b514..2dc0a47ba1 100644 --- a/src/acl/SslErrorData.cc +++ b/src/acl/SslErrorData.cc @@ -9,46 +9,28 @@ #include "squid.h" #include "acl/Checklist.h" #include "acl/SslErrorData.h" -#include "wordlist.h" +#include "ssl/ErrorDetail.h" -ACLSslErrorData::ACLSslErrorData() : values (NULL) +ACLSslErrorData::ACLSslErrorData(ACLSslErrorData const &o) : + values(o.values) {} -ACLSslErrorData::ACLSslErrorData(ACLSslErrorData const &old) : values (NULL) -{ - assert (!old.values); -} - -ACLSslErrorData::~ACLSslErrorData() -{ - if (values) - delete values; -} - bool ACLSslErrorData::match(const Ssl::CertErrors *toFind) { - for (const Ssl::CertErrors *err = toFind; err; err = err->next ) { - if (values->findAndTune(err->element.code)) + for (const auto *err = toFind; err; err = err->next) { + if (values.count(err->element.code)) return true; } return false; } -/* explicit instantiation required for some systems */ -/** \cond AUTODOCS_IGNORE */ -// AYJ: 2009-05-20 : Removing. clashes with template instantiation for other ACLs. -// template cbdata_type Ssl::Errors::CBDATA_CbDataList; -/** \endcond */ - SBufList ACLSslErrorData::dump() const { SBufList sl; - Ssl::Errors *data = values; - while (data != NULL) { - sl.push_back(SBuf(Ssl::GetErrorName(data->element))); - data = data->next; + for (const auto &e : values) { + sl.push_back(SBuf(Ssl::GetErrorName(e))); } return sl; } @@ -56,27 +38,14 @@ ACLSslErrorData::dump() const void ACLSslErrorData::parse() { - Ssl::Errors **Tail; - - for (Tail = &values; *Tail; Tail = &((*Tail)->next)); while (char *t = ConfigParser::strtokFile()) { - Ssl::Errors *q = Ssl::ParseErrorString(t); - *(Tail) = q; - Tail = &q->tail()->next; + Ssl::ParseErrorString(t, values); } } -bool -ACLSslErrorData::empty() const -{ - return values == NULL; -} - ACLSslErrorData * ACLSslErrorData::clone() const { - /* Splay trees don't clone yet. */ - assert (!values); return new ACLSslErrorData(*this); } diff --git a/src/acl/SslErrorData.h b/src/acl/SslErrorData.h index a54f59a24c..9a3f1b5386 100644 --- a/src/acl/SslErrorData.h +++ b/src/acl/SslErrorData.h @@ -11,27 +11,24 @@ #include "acl/Acl.h" #include "acl/Data.h" -#include "base/CbDataList.h" -#include "ssl/ErrorDetail.h" #include "ssl/support.h" -#include class ACLSslErrorData : public ACLData { MEMPROXY_CLASS(ACLSslErrorData); public: - ACLSslErrorData(); + ACLSslErrorData() = default; ACLSslErrorData(ACLSslErrorData const &); ACLSslErrorData &operator= (ACLSslErrorData const &); - virtual ~ACLSslErrorData(); + virtual ~ACLSslErrorData() {} bool match(const Ssl::CertErrors *); virtual SBufList dump() const; void parse(); - bool empty() const; + bool empty() const { return values.empty(); } virtual ACLSslErrorData *clone() const; - Ssl::Errors *values; + Security::Errors values; }; #endif /* SQUID_ACLSSL_ERRORDATA_H */ diff --git a/src/security/forward.h b/src/security/forward.h index 4735385a95..d762893f15 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -18,6 +18,7 @@ #endif #endif #include +#include #if USE_OPENSSL // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free @@ -78,6 +79,10 @@ class EncryptorAnswer; /// Squid defined error code (<0), an error code returned by X.509 API, or SSL_ERROR_NONE typedef int ErrorCode; +/// set of Squid defined TLS error codes +/// \note using std::unordered_set ensures values are unique, with fast lookup +typedef std::unordered_set Errors; + class KeyData; class PeerConnector; class PeerOptions; diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc index 2d761c6f33..830303aea7 100644 --- a/src/ssl/ErrorDetail.cc +++ b/src/ssl/ErrorDetail.cc @@ -352,20 +352,24 @@ Security::ErrorCode Ssl::GetErrorCode(const char *name) return SSL_ERROR_NONE; } -Ssl::Errors * -Ssl::ParseErrorString(const char *name) +bool +Ssl::ParseErrorString(const char *name, Security::Errors &errors) { assert(name); const Security::ErrorCode ssl_error = GetErrorCode(name); - if (ssl_error != SSL_ERROR_NONE) - return new Ssl::Errors(ssl_error); + if (ssl_error != SSL_ERROR_NONE) { + errors.emplace(ssl_error); + return true; + } if (xisdigit(*name)) { const long int value = strtol(name, NULL, 0); - if (SQUID_SSL_ERROR_MIN <= value && value <= SQUID_SSL_ERROR_MAX) - return new Ssl::Errors(value); - fatalf("Too small or too bug SSL error code '%s'", name); + if (SQUID_SSL_ERROR_MIN <= value && value <= SQUID_SSL_ERROR_MAX) { + errors.emplace(value); + return true; + } + fatalf("Too small or too big TLS error code '%s'", name); } if (TheSslErrorShortcuts.empty()) @@ -375,15 +379,14 @@ Ssl::ParseErrorString(const char *name) if (it != TheSslErrorShortcuts.end()) { // Should not be empty... assert(it->second[0] != SSL_ERROR_NONE); - Ssl::Errors *errors = new Ssl::Errors(it->second[0]); - for (int i =1; it->second[i] != SSL_ERROR_NONE; ++i) { - errors->push_back_unique(it->second[i]); + for (int i = 0; it->second[i] != SSL_ERROR_NONE; ++i) { + errors.emplace(it->second[i]); } - return errors; + return true; } - fatalf("Unknown SSL error name '%s'", name); - return NULL; // not reached + fatalf("Unknown TLS error name '%s'", name); + return false; // not reached } const char *Ssl::GetErrorName(Security::ErrorCode value) diff --git a/src/ssl/ErrorDetail.h b/src/ssl/ErrorDetail.h index 01779c59c3..e55c0e50ce 100644 --- a/src/ssl/ErrorDetail.h +++ b/src/ssl/ErrorDetail.h @@ -17,13 +17,11 @@ namespace Ssl { /** - \ingroup ServerProtocolSSLAPI - * Converts user-friendly error "name" into an Ssl::Errors list. - * The resulting list may have one or more elements, and needs to be - * released by the caller. + * Converts user-friendly error "name" into an Security::ErrorCode + * and adds it to the provided container (using emplace). * This function can handle numeric error numbers as well as names. */ -Ssl::Errors *ParseErrorString(const char *name); +bool ParseErrorString(const char *name, Security::Errors &); /// The Security::ErrorCode code of the error described by "name". Security::ErrorCode GetErrorCode(const char *name); @@ -34,16 +32,10 @@ const char *GetErrorName(Security::ErrorCode value); /// A short description of the TLS error "value" const char *GetErrorDescr(Security::ErrorCode value); -/** - \ingroup ServerProtocolSSLAPI - * Return true if the SSL error is optional and may not supported - * by current squid version - */ - +/// \return true if the TLS error is optional and may not be supported by current squid version bool ErrorIsOptional(const char *name); /** - \ingroup ServerProtocolSSLAPI * Used to pass SSL error details to the error pages returned to the * end user. */ diff --git a/src/ssl/support.h b/src/ssl/support.h index ce337aab70..22a37c3f01 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -69,8 +69,6 @@ namespace Ssl /// call before generating any SSL context void Initialize(); -typedef CbDataList Errors; - class ErrorDetail; class CertValidationResponse; typedef RefCount CertValidationResponsePointer;