MINIFICPP-1346 - Add SNI info to raw TCP TLS/SSL handshake
MINIFICPP-1346 Minor improvements
* re-enable some unit tests which were disabled by mistake
* some code cleanup in TLSSocket::initialize()
* get rid of a 'comparison of integer expressions of different signedness' warning
MINIFICPP-1346 Upgrade libressl 2.8.3 -> 3.0.2
MINIFICPP-1346 Use the SNI extension
Signed-off-by: Arpad Boda <aboda@apache.org>
This closes #922
diff --git a/cmake/BundledLibreSSL.cmake b/cmake/BundledLibreSSL.cmake
index 6c52684..02500d0 100644
--- a/cmake/BundledLibreSSL.cmake
+++ b/cmake/BundledLibreSSL.cmake
@@ -49,8 +49,8 @@
# Build project
ExternalProject_Add(
libressl-portable
- URL https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.3.tar.gz https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.3.tar.gz https://gentoo.osuosl.org/distfiles/libressl-2.8.3.tar.gz
- URL_HASH "SHA256=9b640b13047182761a99ce3e4f000be9687566e0828b4a72709e9e6a3ef98477"
+ URL https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2.tar.gz https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2.tar.gz https://gentoo.osuosl.org/distfiles/libressl-3.0.2.tar.gz
+ URL_HASH "SHA256=df7b172bf79b957dd27ef36dcaa1fb162562c0e8999e194aa8c1a3df2f15398e"
SOURCE_DIR "${BINARY_DIR}/thirdparty/libressl-src"
CMAKE_ARGS ${LIBRESSL_CMAKE_ARGS}
BUILD_BYPRODUCTS ${LIBRESSL_LIBRARIES_LIST}
diff --git a/libminifi/src/io/tls/TLSSocket.cpp b/libminifi/src/io/tls/TLSSocket.cpp
index 6e5e0ee..d7564d0 100644
--- a/libminifi/src/io/tls/TLSSocket.cpp
+++ b/libminifi/src/io/tls/TLSSocket.cpp
@@ -20,20 +20,22 @@
#ifdef WIN32
#include <WS2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
-#endif /* WIN32 */
+#endif // WIN32
+
#include <fstream>
#include <memory>
#include <utility>
#include <string>
#include <vector>
-#include <Exception.h>
+
#include "io/tls/TLSSocket.h"
#include "io/tls/TLSUtils.h"
#include "properties/Configure.h"
#include "utils/StringUtils.h"
-#include "core/Property.h"
#include "core/logging/LoggerConfiguration.h"
#include "utils/GeneralUtils.h"
+#include "utils/gsl.h"
+
namespace org {
namespace apache {
namespace nifi {
@@ -201,13 +203,11 @@
}
int16_t TLSSocket::initialize(bool blocking) {
- bool is_server = false;
- if (listeners_ > 0)
- is_server = true;
+ const bool is_server = (listeners_ > 0);
if (!blocking)
setNonBlocking();
- logger_->log_trace("Initializing TLSSocket %d", is_server);
+ logger_->log_trace("Initializing TLSSocket in %s mode", (is_server ? "server" : "client"));
int16_t ret = context_->initialize(is_server);
if (ret != 0) {
@@ -221,10 +221,10 @@
return -1;
}
- if (listeners_ == 0) {
- // we have s2s secure config
+ if (!is_server) {
ssl_ = SSL_new(context_->getContext());
SSL_set_fd(ssl_, socket_file_descriptor_);
+ SSL_set_tlsext_host_name(ssl_, requested_hostname_.c_str()); // SNI extension
connected_ = false;
int rez = SSL_connect(ssl_);
if (rez < 0) {
@@ -388,14 +388,14 @@
int TLSSocket::writeData(const uint8_t *value, unsigned int size, int fd) {
gsl_Expects(size >= 0);
- int bytes = 0;
+ unsigned int bytes = 0;
int sent = 0;
auto fd_ssl = get_ssl(fd);
if (IsNullOrEmpty(fd_ssl)) {
return -1;
}
while (bytes < size) {
- sent = SSL_write(fd_ssl, value + bytes, size - bytes);
+ sent = SSL_write(fd_ssl, value + bytes, gsl::narrow<int>(size - bytes));
// check for errors
if (sent < 0) {
int ret = 0;
@@ -407,7 +407,7 @@
logger_->log_trace("WriteData socket %d send succeed %d", fd, sent);
bytes += sent;
}
- return size;
+ return gsl::narrow<int>(size);
}
int TLSSocket::write(const uint8_t *value, int size) {
diff --git a/libminifi/test/unit/SocketTests.cpp b/libminifi/test/unit/SocketTests.cpp
index d069358..f4f3227 100644
--- a/libminifi/test/unit/SocketTests.cpp
+++ b/libminifi/test/unit/SocketTests.cpp
@@ -171,7 +171,7 @@
server.close();
}
-#ifdef OPENSSL_ENABLED
+#ifdef OPENSSL_SUPPORT
std::atomic<uint8_t> counter;
std::mt19937_64 seed { std::random_device { }() };
bool createSocket() {
@@ -239,4 +239,4 @@
minifi::io::TLSSocket *tls = dynamic_cast<minifi::io::TLSSocket*>(socket);
REQUIRE(tls == nullptr);
}
-#endif
+#endif // OPENSSL_SUPPORT
