支持https；适应版本跳跃；增加md5校验；

server/doris_server_http.cpp

@@ -13,11 +13,12 @@
 #include <sys/prctl.h>
 #include <poll.h>
 
+#include <event2/bufferevent_ssl.h>
+
 #include "doris_server_main.h"
 #include "doris_server_http.h"
 
-
-extern struct nirvana_global_info g_doris_server_info;
+extern struct doris_global_info g_doris_server_info;
 
 static inline void set_sockopt_keepalive(int sd, int keepidle, int keepintvl, int keepcnt)
 {
@@ -90,15 +91,18 @@ void doris_http_server_meta_cb(struct evhttp_request *req, void *arg)
 	if(NULL == (version = evhttp_find_header(&params, "version")))
 	{
 		statistic->statistic.field[DRS_FSSTAT_CLIENT_INVALID_REQ] += 1;
+		evhttp_clear_headers(&params);
 		evhttp_send_error(req, HTTP_BADREQUEST, "Parameters invalid, no version found");
 		return;
 	}
 	if(0==(verlong = strtol(version, &endptr, 10)) || *endptr!='\0')
 	{
 		statistic->statistic.field[DRS_FSSTAT_CLIENT_INVALID_REQ] += 1;
+		evhttp_clear_headers(&params);
 		evhttp_send_error(req, HTTP_BADREQUEST, "Parameter version invalid");
 		return;
 	}
+	evhttp_clear_headers(&params);
 
 	pthread_rwlock_rdlock(&g_doris_server_info.rwlock);
 	if(verlong > g_doris_server_info.cfgver_head->latest_version)
@@ -108,6 +112,7 @@ void doris_http_server_meta_cb(struct evhttp_request *req, void *arg)
 		evhttp_send_error(req, HTTP_NOTMODIFIED, "No new configs found");
 		return;
 	}
+
 	vernode = TAILQ_FIRST(&g_doris_server_info.cfgver_head->version_head);
 	while(vernode->version < verlong)
 	{
@@ -193,6 +198,7 @@ void doris_response_file_range(struct evhttp_request *req, const char *tablename
 	evhttp_add_header(evhttp_request_get_output_headers(req), "Content-Type", "application/stream");
 	evhttp_add_header(evhttp_request_get_output_headers(req), "Connection", "keep-alive");
 	evhttp_send_reply(req, HTTP_OK, "OK", evbuf);
+	evbuffer_free(evbuf);
 }
 
 void doris_http_server_file_cb(struct evhttp_request *req, void *arg)
@@ -213,12 +219,14 @@ void doris_http_server_file_cb(struct evhttp_request *req, void *arg)
 	}
 	if(NULL==(version=evhttp_find_header(&params, "version")) || NULL==(tablename=evhttp_find_header(&params, "tablename")))
 	{
+		evhttp_clear_headers(&params);
 		statistic->statistic.field[DRS_FSSTAT_CLIENT_INVALID_REQ] += 1;
 		evhttp_send_error(req, HTTP_BADREQUEST, "Parameters invalid, no version/tablename found");
 		return;
 	}
 	if(0==(verlong = strtol(version, &endptr, 10)) || *endptr!='\0')
 	{
+		evhttp_clear_headers(&params);
 		statistic->statistic.field[DRS_FSSTAT_CLIENT_INVALID_REQ] += 1;
 		evhttp_send_error(req, HTTP_BADREQUEST, "Parameter version invalid");
 		return;
@@ -226,12 +234,14 @@ void doris_http_server_file_cb(struct evhttp_request *req, void *arg)
 	if(NULL!=(content_range = evhttp_find_header(evhttp_request_get_input_headers(req), "Range")) &&
 		sscanf(content_range, "%*[^0-9]%lu-%lu", &req_start, &req_end)<1)
 	{
+		evhttp_clear_headers(&params);
 		statistic->statistic.field[DRS_FSSTAT_CLIENT_INVALID_REQ] += 1;
 		evhttp_send_error(req, HTTP_BADREQUEST, "Header Range invalid");
 		return;
 	}
 
 	doris_response_file_range(req, tablename, verlong, req_start, req_end, (content_range==NULL)?false:true, statistic);
+	evhttp_clear_headers(&params);
 }
 
 void doris_http_server_generic_cb(struct evhttp_request *req, void *arg)
@@ -239,6 +249,103 @@ void doris_http_server_generic_cb(struct evhttp_request *req, void *arg)
 	evhttp_send_error(req, HTTP_BADREQUEST, "Not Supported.");
 }
 
+pthread_t nirvana_pthreads_thread_id(void)
+{
+	return pthread_self();
+}
+
+void nirvana_pthreads_locking_callback(int mode, int type, const char *file, int line)
+{
+	if(mode & CRYPTO_LOCK)
+	{
+		pthread_mutex_lock(&g_doris_server_info.lock_cs[type]);
+	}
+	else
+	{
+		pthread_mutex_unlock(&g_doris_server_info.lock_cs[type]);
+	}
+}
+
+int server_verify_callback(int ok, X509_STORE_CTX *ctx)
+{
+	X509   *client_cert;
+	char *subject, *issuer;
+
+	client_cert = X509_STORE_CTX_get_current_cert(ctx);
+	
+	subject = X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0);
+	issuer = X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0);
+
+	MESA_RUNTIME_LOGV3(g_doris_server_info.log_runtime, RLOG_LV_DEBUG, "ClientCert suject: %s, issuer: %s, state: %d.", subject, issuer, ok);
+	OPENSSL_free(subject);
+	OPENSSL_free(issuer);
+	return ok;
+}
+
+SSL_CTX *doris_connections_create_ssl_ctx(void)
+{
+	int crypto_num;
+	SSL_CTX *ssl_ctx;
+	char session_id_appname[] = "DorisServer";
+
+	SSL_library_init();
+	SSLeay_add_ssl_algorithms();
+	OpenSSL_add_all_algorithms();
+	SSL_load_error_strings();
+	ERR_load_BIO_strings();
+	
+	crypto_num = CRYPTO_num_locks();
+	g_doris_server_info.lock_cs = (pthread_mutex_t *)OPENSSL_malloc(crypto_num * sizeof(pthread_mutex_t));
+	for(int i=0; i<crypto_num; i++)
+	{
+		pthread_mutex_init(&g_doris_server_info.lock_cs[i], NULL);
+	}
+	CRYPTO_set_id_callback(nirvana_pthreads_thread_id);
+	CRYPTO_set_locking_callback(nirvana_pthreads_locking_callback);
+
+	ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+	//SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE, server_verify_callback);
+	//<2F><><EFBFBD><EFBFBD>SESSION Resumption<6F><6E>˫<EFBFBD><CBAB><EFBFBD><EFBFBD><EFBFBD>ã<EFBFBD><C3A3><EFBFBD>Ϊ<EFBFBD><CEAA>֤<EFBFBD><D6A4>˫<EFBFBD><CBAB><EFBFBD>ģ<EFBFBD>
+	SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_BOTH);
+	//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>HoldĬ<64><C4AC>SSL_SESSION_CACHE_MAX_SIZE_DEFAULT(1024*20)<29><>SESSION<4F><4E>0-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+	SSL_CTX_sess_set_cache_size(ssl_ctx, SSL_SESSION_CACHE_MAX_SIZE_DEFAULT);
+	SSL_CTX_set_session_id_context(ssl_ctx, (unsigned char*)session_id_appname, strlen(session_id_appname));
+	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, g_doris_server_info.ssl_key_passwd);
+	
+	if(!SSL_CTX_load_verify_locations(ssl_ctx, NULL, g_doris_server_info.ssl_CA_path))
+	{
+		MESA_RUNTIME_LOGV3(g_doris_server_info.log_runtime, RLOG_LV_FATAL, "SSL_CTX_load_verify_locations error: %s.", ERR_reason_error_string(ERR_get_error()));
+		SSL_CTX_free(ssl_ctx);
+		return NULL;
+	}
+	if(!SSL_CTX_use_certificate_file(ssl_ctx, g_doris_server_info.ssl_cert_file, SSL_FILETYPE_PEM))
+	{
+		MESA_RUNTIME_LOGV3(g_doris_server_info.log_runtime, RLOG_LV_FATAL, "SSL_CTX_use_certificate_file error: %s.", ERR_reason_error_string(ERR_get_error()));
+		SSL_CTX_free(ssl_ctx);
+		return NULL;
+	}
+	if(SSL_CTX_use_PrivateKey_file(ssl_ctx, g_doris_server_info.ssl_key_file, SSL_FILETYPE_PEM) < 0)
+	{
+		MESA_RUNTIME_LOGV3(g_doris_server_info.log_runtime, RLOG_LV_FATAL, "SSL_CTX_use_PrivateKey_file_pass error: %s.", ERR_reason_error_string(ERR_get_error()));
+		SSL_CTX_free(ssl_ctx);
+		return NULL;
+	}
+	if(!SSL_CTX_check_private_key(ssl_ctx))
+	{
+		MESA_RUNTIME_LOGV3(g_doris_server_info.log_runtime, RLOG_LV_FATAL, "SSL_CTX_check_private_key error: %s.", ERR_reason_error_string(ERR_get_error()));
+		SSL_CTX_free(ssl_ctx);
+		return NULL;
+	}
+	return ssl_ctx;
+}
+
+struct bufferevent *doris_https_bufferevent_cb(struct event_base *evabse, void *arg)
+{	
+	SSL_CTX *ssl_instance = (SSL_CTX *)arg;
+
+	return bufferevent_openssl_socket_new(evabse, -1, SSL_new(ssl_instance), BUFFEREVENT_SSL_ACCEPTING, BEV_OPT_CLOSE_ON_FREE);
+}
+
 void* thread_doris_http_server(void *arg)
 {
 	struct event_base *worker_evbase;
@@ -253,6 +360,16 @@ void* thread_doris_http_server(void *arg)
 
 	worker_http = evhttp_new(worker_evbase);
 
+	if(g_doris_server_info.ssl_conn_on)
+	{
+		g_doris_server_info.ssl_instance = doris_connections_create_ssl_ctx();
+		if(g_doris_server_info.ssl_instance == NULL)
+		{
+			assert(0);return NULL;
+		}
+		evhttp_set_bevcb(worker_http, doris_https_bufferevent_cb, g_doris_server_info.ssl_instance);
+	}
+
 	evhttp_set_cb(worker_http, "/configmeta", doris_http_server_meta_cb, &statistic);
 	evhttp_set_cb(worker_http, "/configfile", doris_http_server_file_cb, &statistic);
 	evhttp_set_gencb(worker_http, doris_http_server_generic_cb, &statistic);