[trafficserver] branch master updated: Clang format fix.

2016-05-04 Thread shinrich 
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
   new  b1f130d   Clang format fix.
b1f130d is described below

commit b1f130d872e943106a5c0b3ea0ee0ef606ebf089
Author: shinrich 
AuthorDate: Wed May 4 21:15:15 2016 -0500

Clang format fix.
---
 iocore/net/I_SessionAccept.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h
index 26a69e5..9e36b81 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/I_SessionAccept.h
@@ -38,8 +38,7 @@ public:
 
   /* Returns NULL if the specified client_ip is not allowed by ip_allow
* Returns a pointer to the relevant IP policy for later processing 
otherwise */
-  static const AclRecord *
-  testIpAllowPolicy(sockaddr const *client_ip);
+  static const AclRecord *testIpAllowPolicy(sockaddr const *client_ip);
 
 private:
   virtual int mainEvent(int event, void *netvc) = 0;

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" '].

[trafficserver] branch master updated: Fix clang build errors.

2016-05-04 Thread shinrich 
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
   new  43337d3   Fix clang build errors.
43337d3 is described below

commit 43337d3b95c23276204d267b8f49a65804de1717
Author: shinrich 
AuthorDate: Wed May 4 21:07:49 2016 -0500

Fix clang build errors.
---
 iocore/net/I_SessionAccept.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h
index 8b55e74..26a69e5 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/I_SessionAccept.h
@@ -27,7 +27,7 @@
 #include "I_Net.h"
 #include "I_VConnection.h"
 
-class AclRecord;
+struct AclRecord;
 
 class SessionAccept : public Continuation
 {

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" '].

[trafficserver] branch master updated: TS-3485: Support ip_allow config for HTTP2. This closes #614.

2016-05-04 Thread shinrich 
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
   new  5ce103e   TS-3485: Support ip_allow config for HTTP2.  This closes 
#614.
5ce103e is described below

commit 5ce103e889ef2eec9216ec06ae681916cb6e2298
Author: Susan Hinrichs 
AuthorDate: Wed May 4 01:49:30 2016 +

TS-3485: Support ip_allow config for HTTP2.  This closes #614.
---
 iocore/net/I_SessionAccept.h   |  7 ++
 iocore/net/Makefile.am |  1 +
 iocore/net/{I_SessionAccept.h => SessionAccept.cc} | 27 +++---
 proxy/http/HttpSessionAccept.cc| 19 +++
 proxy/http2/Http2ClientSession.cc  | 12 --
 proxy/http2/Http2SessionAccept.cc  | 13 ---
 6 files changed, 41 insertions(+), 38 deletions(-)

diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h
index 3d25b3d..8b55e74 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/I_SessionAccept.h
@@ -27,6 +27,8 @@
 #include "I_Net.h"
 #include "I_VConnection.h"
 
+class AclRecord;
+
 class SessionAccept : public Continuation
 {
 public:
@@ -34,6 +36,11 @@ public:
   ~SessionAccept() {}
   virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
 
+  /* Returns NULL if the specified client_ip is not allowed by ip_allow
+   * Returns a pointer to the relevant IP policy for later processing 
otherwise */
+  static const AclRecord *
+  testIpAllowPolicy(sockaddr const *client_ip);
+
 private:
   virtual int mainEvent(int event, void *netvc) = 0;
 };
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index 888d3c2..45d3ee9 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -60,6 +60,7 @@ libinknet_a_SOURCES = \
   I_UDPPacket.h \
   Inline.cc \
   I_SessionAccept.h \
+  SessionAccept.cc \
   Net.cc \
   NetVConnection.cc \
   P_CompletionUtil.h \
diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/SessionAccept.cc
similarity index 68%
copy from iocore/net/I_SessionAccept.h
copy to iocore/net/SessionAccept.cc
index 3d25b3d..9d0ff03 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/SessionAccept.cc
@@ -21,21 +21,20 @@
   limitations under the License.
  */
 
-#ifndef I_SessionAccept_H_
-#define I_SessionAccept_H_
-
 #include "I_Net.h"
 #include "I_VConnection.h"
+#include "../../proxy/IPAllow.h"
 
-class SessionAccept : public Continuation
+const AclRecord *
+SessionAccept::testIpAllowPolicy(sockaddr const *client_ip)
 {
-public:
-  SessionAccept(ProxyMutex *amutex) : Continuation(amutex) { 
SET_HANDLER(::mainEvent); }
-  ~SessionAccept() {}
-  virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
-
-private:
-  virtual int mainEvent(int event, void *netvc) = 0;
-};
-
-#endif /* I_SessionAccept_H_ */
+  IpAllow::scoped_config ipallow;
+  const AclRecord *acl_record = NULL;
+  if (ipallow) {
+acl_record = ipallow->match(client_ip);
+if (acl_record && acl_record->isEmpty()) {
+  acl_record = NULL;
+}
+  }
+  return acl_record;
+}
diff --git a/proxy/http/HttpSessionAccept.cc b/proxy/http/HttpSessionAccept.cc
index 394bbf7..ba5a500 100644
--- a/proxy/http/HttpSessionAccept.cc
+++ b/proxy/http/HttpSessionAccept.cc
@@ -33,20 +33,21 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer 
*iobuf, IOBufferReade
   sockaddr const *client_ip = netvc->get_remote_addr();
   const AclRecord *acl_record = NULL;
   ip_port_text_buffer ipb;
-  IpAllow::scoped_config ipallow;
 
   // The backdoor port is now only bound to "localhost", so no
   // reason to check for if it's incoming from "localhost" or not.
   if (backdoor) {
 acl_record = IpAllow::AllMethodAcl();
-  } else if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) || 
(acl_record->isEmpty( {
-
-// if client address forbidden, close immediately //
-
-Warning("client '%s' prohibited by ip-allow policy", 
ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
-netvc->do_io_close();
-
-return;
+  } else {
+acl_record = testIpAllowPolicy(client_ip);
+if (!acl_record) {
+  
+  // if client address forbidden, close immediately //
+  
+  Warning("client '%s' prohibited by ip-allow policy", 
ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
+  netvc->do_io_close();
+  return;
+}
   }
 
   // Set the transport type if not already set
diff --git a/proxy/http2/Http2ClientSession.cc 
b/proxy/http2/Http2ClientSession.cc
index d759c84..5930140 100644
--- a/proxy/http2/Http2ClientSession.cc
+++

[trafficserver] branch master updated: TS-4075: add a state check for sslHandshakeHookState after PreAcceptHookState checking. This closes #374.

2016-05-04 Thread shinrich 
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
   new  19cc051   TS-4075: add a state check for sslHandshakeHookState 
after PreAcceptHookState checking.  This closes #374.
19cc051 is described below

commit 19cc051bb9e803855d2fb424ccf8a4b9546dc49d
Author: Oknet 
AuthorDate: Mon Dec 14 20:00:45 2015 +0800

TS-4075: add a state check for sslHandshakeHookState after 
PreAcceptHookState checking.  This closes #374.
---
 iocore/net/SSLNetVConnection.cc | 52 ++---
 1 file changed, 28 insertions(+), 24 deletions(-)

diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 7f299c2..3f688bf 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1042,6 +1042,11 @@ SSLNetVConnection::sslServerHandShakeEvent(int )
 }
   }
 
+  // handle SNI Hooks after PreAccept Hooks
+  if (HANDSHAKE_HOOKS_DONE != sslHandshakeHookState && HANDSHAKE_HOOKS_PRE != 
sslHandshakeHookState) {
+return SSL_WAIT_FOR_HOOK;
+  }
+
   // If a blind tunnel was requested in the pre-accept calls, convert.
   // Again no data has been exchanged, so we can go directly
   // without data replay.
@@ -1387,10 +1392,9 @@ SSLNetVConnection::select_next_protocol(SSL *ssl, const 
unsigned char **out, uns
 void
 SSLNetVConnection::reenable(NetHandler *nh)
 {
-  if (this->sslPreAcceptHookState != SSL_HOOKS_DONE) {
-this->sslPreAcceptHookState = SSL_HOOKS_INVOKE;
-this->readReschedule(nh);
-  } else {
+  if (sslPreAcceptHookState != SSL_HOOKS_DONE) {
+sslPreAcceptHookState = SSL_HOOKS_INVOKE;
+  } else if (sslHandshakeHookState == HANDSHAKE_HOOKS_INVOKE) {
 // Reenabling from the handshake callback
 //
 // Originally, we would wait for the callback to go again to execute 
additinonal
@@ -1400,16 +1404,17 @@ SSLNetVConnection::reenable(NetHandler *nh)
 // here in the reenable.
 if (curHook != NULL) {
   curHook = curHook->next();
-  if (curHook != NULL) {
-// Invoke the hook
-curHook->invoke(TS_SSL_CERT_HOOK, this);
-  }
 }
-if (curHook == NULL) {
+if (curHook != NULL) {
+  // Invoke the hook and return, wait for next reenable
+  curHook->invoke(TS_SSL_CERT_HOOK, this);
+  return;
+} else { // curHook == NULL
+  // empty, set state to HOOKS_DONE
   this->sslHandshakeHookState = HANDSHAKE_HOOKS_DONE;
-  this->readReschedule(nh);
 }
   }
+  this->readReschedule(nh);
 }
 
 bool
@@ -1433,34 +1438,33 @@ SSLNetVConnection::callHooks(TSHttpHookID eventId)
   // Only dealing with the SNI/CERT hook so far.
   // TS_SSL_SNI_HOOK and TS_SSL_CERT_HOOK are the same value
   ink_assert(eventId == TS_SSL_CERT_HOOK);
+  Debug("ssl", "callHooks sslHandshakeHookState=%d", 
this->sslHandshakeHookState);
 
-  // First time through, set the type of the hook that is currently
-  // being invoked
-  if (this->sslHandshakeHookState == HANDSHAKE_HOOKS_PRE) {
+  // First time through, set the type of the hook that is currently being 
invoked
+  if (HANDSHAKE_HOOKS_PRE == sslHandshakeHookState) {
+// the previous hook should be DONE and set curHook to NULL before trigger 
the sni hook.
+ink_assert(curHook == NULL);
+// set to HOOKS_CERT means CERT/SNI hooks has called by SSL_accept()
 this->sslHandshakeHookState = HANDSHAKE_HOOKS_CERT;
-  }
-
-  if (this->sslHandshakeHookState == HANDSHAKE_HOOKS_CERT && eventId == 
TS_SSL_CERT_HOOK) {
-if (curHook != NULL) {
-  curHook = curHook->next();
-} else {
-  curHook = ssl_hooks->get(TS_SSL_CERT_INTERNAL_HOOK);
-}
+// get Hooks
+curHook = ssl_hooks->get(TS_SSL_CERT_INTERNAL_HOOK);
   } else {
-// Not in the right state, or no plugins registered for this hook
+// Not in the right state
 // reenable and continue
 return true;
   }
 
   bool reenabled = true;
-  SSLHandshakeHookState holdState = this->sslHandshakeHookState;
   if (curHook != NULL) {
 // Otherwise, we have plugin hooks to run
 this->sslHandshakeHookState = HANDSHAKE_HOOKS_INVOKE;
 curHook->invoke(eventId, this);
 reenabled = (this->sslHandshakeHookState != HANDSHAKE_HOOKS_INVOKE);
+  } else {
+// no SNI-Hooks set, set state to HOOKS_DONE
+// no plugins registered for this hook, return (reenabled == true)
+sslHandshakeHookState = HANDSHAKE_HOOKS_DONE;
   }
-  this->sslHandshakeHookState = holdState;
   return reenabled;
 }
 

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" '].

[trafficserver] branch master updated: TS-4387: When calling TSContSchedule()/TSContScheduleEvery(), the passed in parameter TSCont have to have MUTEX; otherwise if we call TSContSchedule()/TSContSche

2016-05-04 Thread briang 
This is an automated email from the ASF dual-hosted git repository.

briang pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
   new  f96c1f5   TS-4387: When calling 
TSContSchedule()/TSContScheduleEvery(), the passed in parameter TSCont have to 
have MUTEX; otherwise if we call TSContSchedule()/TSContScheduleEvery() more 
than once using same TSCont, only the first call will take effect; all the 
following schedule are ignored due to MUTEX issue.
f96c1f5 is described below

commit f96c1f505564280b3f12a98c3ae7abc33b73b168
Author: Shen Zhang 
AuthorDate: Wed May 4 00:46:21 2016 -0700

TS-4387: When calling TSContSchedule()/TSContScheduleEvery(), the passed
in parameter TSCont have to have MUTEX; otherwise if we call
TSContSchedule()/TSContScheduleEvery() more than once using same TSCont,
only the first call will take effect; all the following schedule are
ignored due to MUTEX issue.

This closes #603
---
 proxy/InkAPI.cc | 4 
 1 file changed, 4 insertions(+)

diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index 6b2bce2..66f9f50 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -4217,6 +4217,8 @@ TSContSchedule(TSCont contp, ink_hrtime timeout, 
TSThreadPool tp)
 {
   sdk_assert(sdk_sanity_check_iocore_structure(contp) == TS_SUCCESS);
 
+  FORCE_PLUGIN_SCOPED_MUTEX(contp);
+
   INKContInternal *i = (INKContInternal *)contp;
   TSAction action;
 
@@ -4269,6 +4271,8 @@ TSContScheduleEvery(TSCont contp, ink_hrtime every, 
TSThreadPool tp)
 {
   sdk_assert(sdk_sanity_check_iocore_structure(contp) == TS_SUCCESS);
 
+  FORCE_PLUGIN_SCOPED_MUTEX(contp);
+
   INKContInternal *i = (INKContInternal *)contp;
   TSAction action;
 

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" '].