关键词搜索

源码搜索 ×
×

漫话Redis源码之七十四

发布2022-02-13浏览524次

详情内容

SSL大家应该很熟悉,就是为了确保安全的,openssl应该听说过吧:

  1. /* Wrapper around redisSecureConnection to avoid hiredis_ssl dependencies if
  2.  * not building with TLS support.
  3.  */
  4. int cliSecureConnection(redisContext *c, cliSSLconfig config, const char **err) {
  5. #ifdef USE_OPENSSL
  6.     static SSL_CTX *ssl_ctx = NULL;
  7.  
  8.     if (!ssl_ctx) {
  9.         ssl_ctx = SSL_CTX_new(SSLv23_client_method());
  10.         if (!ssl_ctx) {
  11.             *err = "Failed to create SSL_CTX";
  12.             goto error;
  13.         }
  14.         SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
  15.         SSL_CTX_set_verify(ssl_ctx, config.skip_cert_verify ? SSL_VERIFY_NONE : SSL_VERIFY_PEER, NULL);
  16.  
  17.         if (config.cacert || config.cacertdir) {
  18.             if (!SSL_CTX_load_verify_locations(ssl_ctx, config.cacert, config.cacertdir)) {
  19.                 *err = "Invalid CA Certificate File/Directory";
  20.                 goto error;
  21.             }
  22.         } else {
  23.             if (!SSL_CTX_set_default_verify_paths(ssl_ctx)) {
  24.                 *err = "Failed to use default CA paths";
  25.                 goto error;
  26.             }
  27.         }
  28.  
  29.         if (config.cert && !SSL_CTX_use_certificate_chain_file(ssl_ctx, config.cert)) {
  30.             *err = "Invalid client certificate";
  31.             goto error;
  32.         }
  33.  
  34.         if (config.key && !SSL_CTX_use_PrivateKey_file(ssl_ctx, config.key, SSL_FILETYPE_PEM)) {
  35.             *err = "Invalid private key";
  36.             goto error;
  37.         }
  38.         if (config.ciphers && !SSL_CTX_set_cipher_list(ssl_ctx, config.ciphers)) {
  39.             *err = "Error while configuring ciphers";
  40.             goto error;
  41.         }
  42. #ifdef TLS1_3_VERSION
  43.         if (config.ciphersuites && !SSL_CTX_set_ciphersuites(ssl_ctx, config.ciphersuites)) {
  44.             *err = "Error while setting cypher suites";
  45.             goto error;
  46.         }
  47. #endif
  48.     }
  49.  
  50.     SSL *ssl = SSL_new(ssl_ctx);
  51.     if (!ssl) {
  52.         *err = "Failed to create SSL object";
  53.         return REDIS_ERR;
  54.     }
  55.  
  56.     if (config.sni && !SSL_set_tlsext_host_name(ssl, config.sni)) {
  57.         *err = "Failed to configure SNI";
  58.         SSL_free(ssl);
  59.         return REDIS_ERR;
  60.     }
  61.  
  62.     return redisInitiateSSL(c, ssl);
  63.  
  64. error:
  65.     SSL_CTX_free(ssl_ctx);
  66.     ssl_ctx = NULL;
  67.     return REDIS_ERR;
  68. #else
  69.     (void) config;
  70.     (void) c;
  71.     (void) err;
  72.     return REDIS_OK;
  73. #endif
  74. }
  75.  
  76. /* Wrapper around hiredis to allow arbitrary reads and writes.
  77.  *
  78.  * We piggybacks on top of hiredis to achieve transparent TLS support,
  79.  * and use its internal buffers so it can co-exist with commands
  80.  * previously/later issued on the connection.
  81.  *
  82.  * Interface is close to enough to read()/write() so things should mostly
  83.  * work transparently.
  84.  */
  85.  
  86. /* Write a raw buffer through a redisContext. If we already have something
  87.  * in the buffer (leftovers from hiredis operations) it will be written
  88.  * as well.
  89.  */
  90. ssize_t cliWriteConn(redisContext *c, const char *buf, size_t buf_len)
  91. {
  92.     int done = 0;
  93.  
  94.     /* Append data to buffer which is *usually* expected to be empty
  95.      * but we don't assume that, and write.
  96.      */
  97.     c->obuf = sdscatlen(c->obuf, buf, buf_len);
  98.     if (redisBufferWrite(c, &done) == REDIS_ERR) {
  99.         if (!(c->flags & REDIS_BLOCK))
  100.             errno = EAGAIN;
  101.  
  102.         /* On error, we assume nothing was written and we roll back the
  103.          * buffer to its original state.
  104.          */
  105.         if (sdslen(c->obuf) > buf_len)
  106.             sdsrange(c->obuf, 0, -(buf_len+1));
  107.         else
  108.             sdsclear(c->obuf);
  109.  
  110.         return -1;
  111.     }
  112.  
  113.     /* If we're done, free up everything. We may have written more than
  114.      * buf_len (if c->obuf was not initially empty) but we don't have to
  115.      * tell.
  116.      */
  117.     if (done) {
  118.         sdsclear(c->obuf);
  119.         return buf_len;
  120.     }
  121.  
  122.     /* Write was successful but we have some leftovers which we should
  123.      * remove from the buffer.
  124.      *
  125.      * Do we still have data that was there prior to our buf? If so,
  126.      * restore buffer to it's original state and report no new data was
  127.      * writen.
  128.      */
  129.     if (sdslen(c->obuf) > buf_len) {
  130.         sdsrange(c->obuf, 0, -(buf_len+1));
  131.         return 0;
  132.     }
  133.  
  134.     /* At this point we're sure no prior data is left. We flush the buffer
  135.      * and report how much we've written.
  136.      */
  137.     size_t left = sdslen(c->obuf);
  138.     sdsclear(c->obuf);
  139.     return buf_len - left;
  140. }
  141.  
  142. /* Wrapper around OpenSSL (libssl and libcrypto) initialisation
  143.  */
  144. int cliSecureInit()
  145. {
  146. #ifdef USE_OPENSSL
  147.     ERR_load_crypto_strings();
  148.     SSL_load_error_strings();
  149.     SSL_library_init();
  150. #endif
  151.     return REDIS_OK;
  152. }

相关技术文章

最新源码

下载排行榜
点击QQ咨询
开通会员
返回顶部
×
微信扫码支付
微信扫码支付
确定支付下载
请使用微信描二维码支付
×

提示信息

×

选择支付方式

  • 微信支付
  • 支付宝付款
确定支付下载