perf(tls-server): reuse trusted store

emqx · Aug 23, 2023 · 6d1e30a · 6d1e30a
1 parent ed4680d
commit 6d1e30a
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 61 deletions.
diff --git a/c_src/quicer_config.c b/c_src/quicer_config.c
@@ -2440,3 +2440,36 @@ get_str_from_map(ErlNifEnv *env,
 
   return enif_get_string(env, tmp_term, buff, tmp_len + 1, ERL_NIF_LATIN1);
 }
+
+BOOLEAN build_trustedstore(const char *cacertfile, X509_STORE **trusted_store)
+{
+  X509_STORE *store = NULL;
+  X509_LOOKUP *lookup = NULL;
+
+  if (cacertfile == NULL)
+    {
+      return FALSE;
+    }
+
+  store = X509_STORE_new();
+  if (store == NULL)
+    {
+      return FALSE;
+    }
+
+  lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+  if (lookup == NULL)
+    {
+      X509_STORE_free(store);
+      return FALSE;
+    }
+
+  if (!X509_LOOKUP_load_file(lookup, cacertfile, X509_FILETYPE_PEM))
+    {
+      X509_STORE_free(store);
+      return FALSE;
+    }
+
+  *trusted_store = store;
+  return TRUE;
+}
diff --git a/c_src/quicer_config.h b/c_src/quicer_config.h
@@ -20,6 +20,7 @@ limitations under the License.
 #include "quicer_internal.h"
 #include "quicer_nif.h"
 #include <msquichelper.h>
+#include <openssl/x509.h>
 
 #ifdef DEBUG
 #define dbg(fmt, ...)                                                         \
@@ -117,4 +118,6 @@ ERL_NIF_TERM set_connection_opt(ErlNifEnv *env,
                                 ERL_NIF_TERM optval,
                                 ERL_NIF_TERM elevel);
 
+BOOLEAN build_trustedstore(const char *cacertfile, X509_STORE **trusted_store);
+
 #endif // __QUICER_CONFIG_H_
diff --git a/c_src/quicer_connection.c b/c_src/quicer_connection.c
@@ -595,47 +595,21 @@ async_connect3(ErlNifEnv *env,
     }
 
   ERL_NIF_TERM ecacertfile;
-  X509_STORE *trusted = NULL;
+
   if (enif_get_map_value(env, eoptions, ATOM_CACERTFILE, &ecacertfile))
     {
       char cacertfile[PATH_MAX];
-      if (enif_get_string(
+      if (!(enif_get_string(
               env, ecacertfile, cacertfile, PATH_MAX, ERL_NIF_LATIN1)
-          > 0)
-        {
-          X509_LOOKUP *lookup = NULL;
-          trusted = X509_STORE_new();
-
-          if (trusted != NULL)
-            {
-              lookup = X509_STORE_add_lookup(trusted, X509_LOOKUP_file());
-              if (lookup != NULL)
-                {
-                  if (!X509_LOOKUP_load_file(
-                          lookup, cacertfile, X509_FILETYPE_PEM))
-                    {
-                      X509_STORE_free(trusted);
-                      trusted = NULL;
-                    }
-                }
-              else
-                {
-                  X509_STORE_free(trusted);
-                  trusted = NULL;
-                }
-            }
-          c_ctx->trusted = trusted;
-        }
-
-      if (trusted == NULL)
+          > 0 && build_trustedstore(cacertfile, &c_ctx->trusted)))
         {
           res = ERROR_TUPLE_2(ATOM_BADARG);
           goto Error;
         }
     }
 
   // convert eoptions to Configuration
-  bool HasCaCertfile = trusted != NULL;
+  bool HasCaCertfile = c_ctx->trusted != NULL;
   ERL_NIF_TERM estatus = ClientLoadConfiguration(
       env, &eoptions, &(c_ctx->config_resource->Configuration), HasCaCertfile);
 

diff --git a/c_src/quicer_ctx.h b/c_src/quicer_ctx.h
@@ -46,6 +46,7 @@ typedef struct QuicerListenerCTX
   ErlNifEnv *env;
   ErlNifMutex *lock;
   char *cacertfile;
+  X509_STORE *trusted_store;
   // Listener handle closed flag
   // false means the handle is invalid
   BOOLEAN is_closed;

diff --git a/c_src/quicer_listener.c b/c_src/quicer_listener.c
@@ -50,34 +50,10 @@ ServerListenerCallback(__unused_parm__ HQUIC Listener,
 
       c_ctx->Connection = Event->NEW_CONNECTION.Connection;
 
-      /* reload trusted store very time to make sure we incorporate
-       * any changes to the file
-       */
-      if (l_ctx->cacertfile)
+      if (l_ctx->trusted_store)
         {
-          X509_STORE *trusted = NULL;
-          X509_LOOKUP *lookup = NULL;
-          trusted = X509_STORE_new();
-
-          if (trusted != NULL)
-            {
-              lookup = X509_STORE_add_lookup(trusted, X509_LOOKUP_file());
-              if (lookup != NULL)
-                {
-                  if (!X509_LOOKUP_load_file(
-                          lookup, l_ctx->cacertfile, X509_FILETYPE_PEM))
-                    {
-                      X509_STORE_free(trusted);
-                      trusted = NULL;
-                    }
-                }
-              else
-                {
-                  X509_STORE_free(trusted);
-                  trusted = NULL;
-                }
-            }
-          c_ctx->trusted = trusted;
+          X509_STORE_up_ref(l_ctx->trusted_store);
+          c_ctx->trusted = l_ctx->trusted_store;
         }
 
       assert(l_ctx->config_resource);
@@ -320,11 +296,12 @@ listen2(ErlNifEnv *env, __unused_parm__ int argc, const ERL_NIF_TERM argv[])
         {
           l_ctx->cacertfile
               = (char *)CXPLAT_ALLOC_NONPAGED(len + 1, QUICER_CACERTFILE);
-          if (!enif_get_string(env,
+          if (!(enif_get_string(env,
                                ecacertfile,
                                l_ctx->cacertfile,
                                len + 1,
-                               ERL_NIF_LATIN1))
+                               ERL_NIF_LATIN1) > 0
+               && build_trustedstore(l_ctx->cacertfile, &l_ctx->trusted_store)))
             {
               CXPLAT_FREE(l_ctx->cacertfile, QUICER_CACERTFILE);
               l_ctx->cacertfile = NULL;
@@ -600,3 +577,5 @@ start_listener3(ErlNifEnv *env,
 
   return ret;
 }
+
+
diff --git a/test/quicer_SUITE.erl b/test/quicer_SUITE.erl
@@ -382,9 +382,8 @@ tc_open_listener_inval_cacertfile_1(Config) ->
 
 tc_open_listener_inval_cacertfile_2(Config) ->
   Port = select_port(),
-  {ok, L} = quicer:listen(Port, [ {cacertfile, [1,2,3,4]}
+  {error, badarg} = quicer:listen(Port, [ {cacertfile, [1,2,3,4]}
                                 | default_listen_opts(Config)]),
-  ok = quicer:close_listener(L),
   ok.
 
 tc_open_listener_inval_cacertfile_3(Config) ->