From ef26fce5f118bfd351aefa860bf01f8b3ee0c616 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Thu, 10 Apr 2025 14:29:25 +0200 Subject: [PATCH] dnsdist: Fix clang-tidy warnings --- pdns/libssl.cc | 28 +++++++++++++++------------- pdns/tcpiohandler.cc | 10 +++++++--- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/pdns/libssl.cc b/pdns/libssl.cc index cd386b7f9d..d123823b20 100644 --- a/pdns/libssl.cc +++ b/pdns/libssl.cc @@ -522,7 +522,7 @@ bool libssl_generate_ocsp_response(const std::string& certFile, const std::strin static int libssl_get_last_key_type(SSL_CTX& ctx) { #ifdef HAVE_SSL_CTX_GET0_PRIVATEKEY - auto pkey = SSL_CTX_get0_privatekey(&ctx); + auto* pkey = SSL_CTX_get0_privatekey(&ctx); #else auto temp = std::unique_ptr(SSL_new(&ctx), SSL_free); if (!temp) { @@ -560,6 +560,7 @@ static std::unordered_set get_names_from_certificate(const X509* ce if (ASN1_STRING_to_UTF8(&str, name->d.dNSName) < 0) { continue; } + // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): OpenSSL's API result.emplace(reinterpret_cast(str)); OPENSSL_free(str); } @@ -567,7 +568,7 @@ static std::unordered_set get_names_from_certificate(const X509* ce auto* name = X509_get_subject_name(certificate); if (name != nullptr) { - ssize_t idx = -1; + int idx = -1; while ((idx = X509_NAME_get_index_by_NID(name, NID_commonName, idx)) != -1) { const auto* entry = X509_NAME_get_entry(name, idx); const auto* value = X509_NAME_ENTRY_get_data(entry); @@ -575,6 +576,7 @@ static std::unordered_set get_names_from_certificate(const X509* ce if (ASN1_STRING_to_UTF8(&str, value) < 0) { continue; } + // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): OpenSSL's API result.emplace(reinterpret_cast(str)); OPENSSL_free(str); } @@ -1006,7 +1008,7 @@ static std::unique_ptr getNewServerContext(con #endif SSL_CTX_set_options(ctx.get(), sslOptions); - if (!libssl_set_min_tls_version(*ctx.get(), config.d_minTLSVersion)) { + if (!libssl_set_min_tls_version(*ctx, config.d_minTLSVersion)) { throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(config.d_minTLSVersion)); } @@ -1138,7 +1140,7 @@ std::pair, std::vector> libssl_init_ser EVP_PKEY *keyptr = nullptr; X509 *certptr = nullptr; STACK_OF(X509) *captr = nullptr; - if (!PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr)) { + if (PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr) != 1) { #if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 bool failed = true; /* we might be opening a PKCS12 file that uses RC2 CBC or 3DES CBC which, since OpenSSL 3.0.0, requires loading the legacy provider */ - auto libCtx = OSSL_LIB_CTX_get0_global_default(); + auto* libCtx = OSSL_LIB_CTX_get0_global_default(); /* check whether the legacy provider is already loaded */ - if (!OSSL_PROVIDER_available(libCtx, "legacy")) { + if (OSSL_PROVIDER_available(libCtx, "legacy") == 0) { /* it's not */ - auto provider = OSSL_PROVIDER_load(libCtx, "legacy"); + auto* provider = OSSL_PROVIDER_load(libCtx, "legacy"); if (provider != nullptr) { - if (PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr)) { + if (PKCS12_parse(p12.get(), (pair.d_password ? pair.d_password->c_str() : nullptr), &keyptr, &certptr, &captr) == 1) { failed = false; } /* we do not want to keep that provider around after that */ @@ -1220,10 +1222,10 @@ std::pair> libssl_init_ser } auto key = std::unique_ptr(keyptr, EVP_PKEY_free); auto cert = std::unique_ptr(certptr, X509_free); - auto ca = std::unique_ptr(captr, [](STACK_OF(X509)* st){ sk_X509_free(st); }); + auto caList = std::unique_ptr(captr, [](STACK_OF(X509)* stack){ sk_X509_free(stack); }); - auto addCertificateAndKey = [&pair, &key, &cert, &ca](std::shared_ptr& tlsContext) { - if (SSL_CTX_use_cert_and_key(tlsContext.get(), cert.get(), key.get(), ca.get(), 1) != 1) { + auto addCertificateAndKey = [&pair, &key, &cert, &caList](std::shared_ptr& tlsContext) { + if (SSL_CTX_use_cert_and_key(tlsContext.get(), cert.get(), key.get(), caList.get(), 1) != 1) { ERR_print_errors_fp(stderr); throw std::runtime_error("An error occurred while trying to load the TLS certificate and key from PKCS12 file " + pair.d_cert); } @@ -1257,7 +1259,7 @@ std::pair> libssl_init_ser throw std::runtime_error("The key from '" + pair.d_key.value() + "' does not match the certificate from '" + pair.d_cert + "'"); } /* store the type of the new key, we might need it later to select the right OCSP stapling response */ - auto keyType = libssl_get_last_key_type(*ctx.get()); + auto keyType = libssl_get_last_key_type(*ctx); if (keyType < 0) { throw std::runtime_error("The key from '" + pair.d_key.value() + "' has an unknown type"); } diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc index 60cb189258..6f46d284f4 100644 --- a/pdns/tcpiohandler.cc +++ b/pdns/tcpiohandler.cc @@ -70,8 +70,11 @@ public: for (const auto& warning : warnings) { warnlog("%s", warning); } + // NOLINTNEXTLINE(cppcoreguidelines-prefer-member-initializer): it cannot be initialized before calling libssl_init_server_context() d_ocspResponses = std::move(ctx.d_ocspResponses); + // NOLINTNEXTLINE(cppcoreguidelines-prefer-member-initializer): it cannot be initialized before calling libssl_init_server_context() d_tlsCtx = std::move(ctx.d_defaultContext); + // NOLINTNEXTLINE(cppcoreguidelines-prefer-member-initializer): it cannot be initialized before calling libssl_init_server_context() d_sniMap = std::move(ctx.d_sniMap); for (auto& entry : d_sniMap) { SSL_CTX_set_tlsext_servername_callback(entry.second.get(), &sni_server_name_callback); @@ -104,6 +107,7 @@ static int sni_server_name_callback(SSL* ssl, int* /* alert */, void* /* arg */) if (serverName == nullptr) { return SSL_TLSEXT_ERR_NOACK; } + // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): OpenSSL's API auto* frontendCtx = reinterpret_cast(libssl_get_ticket_key_callback_data(ssl)); if (frontendCtx == nullptr) { return SSL_TLSEXT_ERR_OK; @@ -111,8 +115,8 @@ static int sni_server_name_callback(SSL* ssl, int* /* alert */, void* /* arg */) auto serverNameView = std::string_view(serverName); - auto it = frontendCtx->d_sniMap.find(serverNameView); - if (it == frontendCtx->d_sniMap.end()) { + auto mapIt = frontendCtx->d_sniMap.find(serverNameView); + if (mapIt == frontendCtx->d_sniMap.end()) { /* keep the default certificate */ return SSL_TLSEXT_ERR_OK; } @@ -120,7 +124,7 @@ static int sni_server_name_callback(SSL* ssl, int* /* alert */, void* /* arg */) /* if it fails there is nothing we can do, let's hope OpenSSL will fallback to the existing, default certificate*/ - SSL_set_SSL_CTX(ssl, it->second.get()); + SSL_set_SSL_CTX(ssl, mapIt->second.get()); return SSL_TLSEXT_ERR_OK; } -- 2.47.2