Cleaned-up validation issues

Author: etr

README.md

@@ -1260,9 +1260,9 @@ libhttpserver provides WebSocket support when libmicrohttpd is built with WebSoc
 ### The websocket_handler class
 The `websocket_handler` class provides the following virtual methods:
 * _**void** on_open(**websocket_session&** session):_ Called when a new WebSocket connection is established. Default implementation does nothing.
-* _**void** on_message(**websocket_session&** session, **const std::string&** msg):_ Called when a text message is received. **This is the only pure virtual method and must be implemented.**
+* _**void** on_message(**websocket_session&** session, **std::string_view** msg):_ Called when a text message is received. **This is the only pure virtual method and must be implemented.**
 * _**void** on_binary(**websocket_session&** session, **const void*** data, **size_t** len):_ Called when a binary message is received. Default implementation does nothing.
-* _**void** on_ping(**websocket_session&** session, **const std::string&** payload):_ Called when a ping frame is received. Default implementation sends a pong.
+* _**void** on_ping(**websocket_session&** session, **std::string_view** payload):_ Called when a ping frame is received. Default implementation sends a pong.
 * _**void** on_close(**websocket_session&** session, **uint16_t** code, **const std::string&** reason):_ Called when the WebSocket connection is closed. Default implementation does nothing.
 
 ### The websocket_session class
@@ -1283,8 +1283,8 @@ Register a WebSocket handler using `register_ws_resource`:
 
     class echo_handler : public websocket_handler {
     public:
-        void on_message(websocket_session& session, const std::string& msg) override {
-            session.send_text("Echo: " + msg);
+        void on_message(websocket_session& session, std::string_view msg) override {
+            session.send_text("Echo: " + std::string(msg));
         }
     };
 
@@ -1634,9 +1634,9 @@ You can also check this example on [github](https://github.com/etr/libhttpserver
             session.send_text("Welcome to the echo server!");
         }
 
-        void on_message(websocket_session& session, const std::string& msg) override {
+        void on_message(websocket_session& session, std::string_view msg) override {
             std::cout << "Received: " << msg << std::endl;
-            session.send_text("Echo: " + msg);
+            session.send_text("Echo: " + std::string(msg));
         }
 
         void on_close(websocket_session& session, uint16_t code, const std::string& reason) override {

examples/websocket_echo.cpp

@@ -20,6 +20,7 @@
 
 #include <iostream>
 #include <string>
+#include <string_view>
 
 #include <httpserver.hpp>
 
@@ -30,9 +31,9 @@ class echo_handler : public httpserver::websocket_handler {
          session.send_text("Welcome to the echo server!");
      }
 
-     void on_message(httpserver::websocket_session& session, const std::string& msg) override {
+     void on_message(httpserver::websocket_session& session, std::string_view msg) override {
          std::cout << "Received: " << msg << std::endl;
-         session.send_text("Echo: " + msg);
+         session.send_text("Echo: " + std::string(msg));
      }
 
      void on_close(httpserver::websocket_session& session, uint16_t code, const std::string& reason) override {

src/http_request.cpp

@@ -71,6 +71,23 @@ class scoped_x509_cert {
     bool is_valid() const { return valid_; }
     gnutls_x509_crt_t get() const { return cert_; }
 
+    // Movable
+    scoped_x509_cert(scoped_x509_cert&& other) noexcept
+        : cert_(other.cert_), valid_(other.valid_) {
+        other.cert_ = nullptr;
+        other.valid_ = false;
+    }
+    scoped_x509_cert& operator=(scoped_x509_cert&& other) noexcept {
+        if (this != &other) {
+            if (cert_ != nullptr) gnutls_x509_crt_deinit(cert_);
+            cert_ = other.cert_;
+            valid_ = other.valid_;
+            other.cert_ = nullptr;
+            other.valid_ = false;
+        }
+        return *this;
+    }
+
     // Non-copyable
     scoped_x509_cert(const scoped_x509_cert&) = delete;
     scoped_x509_cert& operator=(const scoped_x509_cert&) = delete;
@@ -387,156 +404,126 @@ bool http_request::has_client_certificate() const {
     return (cert_list != nullptr && list_size > 0);
 }
 
-std::string http_request::get_client_cert_dn() const {
-    if (!has_tls_session()) {
-        return "";
-    }
-
-    scoped_x509_cert cert;
-    if (!cert.init_from_session(get_tls_session())) {
-        return "";
-    }
-
-    size_t dn_size = 0;
-    gnutls_x509_crt_get_dn(cert.get(), nullptr, &dn_size);
-
-    std::string dn(dn_size, '\0');
-    if (gnutls_x509_crt_get_dn(cert.get(), &dn[0], &dn_size) != GNUTLS_E_SUCCESS) {
-        return "";
+void http_request::populate_all_cert_fields() const {
+    if (cache->client_cert_fields_cached) {
+        return;
     }
 
-    // Remove trailing null if present
-    if (!dn.empty() && dn.back() == '\0') {
-        dn.pop_back();
-    }
+    cache->client_cert_fields_cached = true;
 
-    return dn;
-}
-
-std::string http_request::get_client_cert_issuer_dn() const {
-    if (!has_tls_session()) {
-        return "";
+    gnutls_session_t session = nullptr;
+    if (has_tls_session()) {
+        session = get_tls_session();
     }
 
     scoped_x509_cert cert;
-    if (!cert.init_from_session(get_tls_session())) {
-        return "";
-    }
-
-    size_t dn_size = 0;
-    gnutls_x509_crt_get_issuer_dn(cert.get(), nullptr, &dn_size);
-
-    std::string dn(dn_size, '\0');
-    if (gnutls_x509_crt_get_issuer_dn(cert.get(), &dn[0], &dn_size) != GNUTLS_E_SUCCESS) {
-        return "";
+    if (session != nullptr) {
+        cert.init_from_session(session);
     }
 
-    // Remove trailing null if present
-    if (!dn.empty() && dn.back() == '\0') {
-        dn.pop_back();
+    if (!cert.is_valid()) {
+        // Default values (empty strings and -1) are already set by the
+        // cache struct initializers; client_cert_verified defaults to false.
+        return;
     }
 
-    return dn;
-}
-
-std::string http_request::get_client_cert_cn() const {
-    if (!has_tls_session()) {
-        return "";
+    // Client certificate verification
+    {
+        unsigned int status = 0;
+        if (gnutls_certificate_verify_peers2(session, &status) == GNUTLS_E_SUCCESS) {
+            cache->client_cert_verified = (status == 0);
+        }
     }
 
-    scoped_x509_cert cert;
-    if (!cert.init_from_session(get_tls_session())) {
-        return "";
+    // Subject DN
+    {
+        size_t dn_size = 0;
+        gnutls_x509_crt_get_dn(cert.get(), nullptr, &dn_size);
+        std::string dn(dn_size, '\0');
+        if (gnutls_x509_crt_get_dn(cert.get(), &dn[0], &dn_size) == GNUTLS_E_SUCCESS) {
+            if (!dn.empty() && dn.back() == '\0') dn.pop_back();
+            cache->client_cert_dn = dn;
+        }
     }
 
-    size_t cn_size = 0;
-    gnutls_x509_crt_get_dn_by_oid(cert.get(), GNUTLS_OID_X520_COMMON_NAME, 0, 0, nullptr, &cn_size);
-
-    if (cn_size == 0) {
-        return "";
+    // Issuer DN
+    {
+        size_t dn_size = 0;
+        gnutls_x509_crt_get_issuer_dn(cert.get(), nullptr, &dn_size);
+        std::string dn(dn_size, '\0');
+        if (gnutls_x509_crt_get_issuer_dn(cert.get(), &dn[0], &dn_size) == GNUTLS_E_SUCCESS) {
+            if (!dn.empty() && dn.back() == '\0') dn.pop_back();
+            cache->client_cert_issuer_dn = dn;
+        }
     }
 
-    std::string cn(cn_size, '\0');
-    if (gnutls_x509_crt_get_dn_by_oid(cert.get(), GNUTLS_OID_X520_COMMON_NAME, 0, 0, &cn[0], &cn_size) != GNUTLS_E_SUCCESS) {
-        return "";
+    // Common Name
+    {
+        size_t cn_size = 0;
+        gnutls_x509_crt_get_dn_by_oid(cert.get(), GNUTLS_OID_X520_COMMON_NAME, 0, 0, nullptr, &cn_size);
+        if (cn_size > 0) {
+            std::string cn(cn_size, '\0');
+            if (gnutls_x509_crt_get_dn_by_oid(cert.get(), GNUTLS_OID_X520_COMMON_NAME, 0, 0, &cn[0], &cn_size) == GNUTLS_E_SUCCESS) {
+                if (!cn.empty() && cn.back() == '\0') cn.pop_back();
+                cache->client_cert_cn = cn;
+            }
+        }
     }
 
-    // Remove trailing null if present
-    if (!cn.empty() && cn.back() == '\0') {
-        cn.pop_back();
+    // SHA-256 fingerprint
+    {
+        unsigned char fingerprint[32];
+        size_t fingerprint_size = sizeof(fingerprint);
+        if (gnutls_x509_crt_get_fingerprint(cert.get(), GNUTLS_DIG_SHA256, fingerprint, &fingerprint_size) == GNUTLS_E_SUCCESS) {
+            std::string hex_fingerprint;
+            hex_fingerprint.reserve(fingerprint_size * 2);
+            for (size_t i = 0; i < fingerprint_size; ++i) {
+                char hex[3];
+                snprintf(hex, sizeof(hex), "%02x", fingerprint[i]);
+                hex_fingerprint += hex;
+            }
+            cache->client_cert_fingerprint_sha256 = hex_fingerprint;
+        }
     }
 
-    return cn;
+    // Validity times
+    cache->client_cert_not_before = gnutls_x509_crt_get_activation_time(cert.get());
+    cache->client_cert_not_after = gnutls_x509_crt_get_expiration_time(cert.get());
 }
 
-bool http_request::is_client_cert_verified() const {
-    if (!has_tls_session()) {
-        return false;
-    }
+std::string http_request::get_client_cert_dn() const {
+    populate_all_cert_fields();
+    return cache->client_cert_dn;
+}
 
-    gnutls_session_t session = get_tls_session();
-    unsigned int status = 0;
+std::string http_request::get_client_cert_issuer_dn() const {
+    populate_all_cert_fields();
+    return cache->client_cert_issuer_dn;
+}
 
-    if (gnutls_certificate_verify_peers2(session, &status) != GNUTLS_E_SUCCESS) {
-        return false;
-    }
+std::string http_request::get_client_cert_cn() const {
+    populate_all_cert_fields();
+    return cache->client_cert_cn;
+}
 
-    return (status == 0);
+bool http_request::is_client_cert_verified() const {
+    populate_all_cert_fields();
+    return cache->client_cert_verified;
 }
 
 std::string http_request::get_client_cert_fingerprint_sha256() const {
-    if (!has_tls_session()) {
-        return "";
-    }
-
-    scoped_x509_cert cert;
-    if (!cert.init_from_session(get_tls_session())) {
-        return "";
-    }
-
-    unsigned char fingerprint[32];  // SHA-256 is 32 bytes
-    size_t fingerprint_size = sizeof(fingerprint);
-
-    if (gnutls_x509_crt_get_fingerprint(cert.get(), GNUTLS_DIG_SHA256, fingerprint, &fingerprint_size) != GNUTLS_E_SUCCESS) {
-        return "";
-    }
-
-    // Convert to hex string
-    std::string hex_fingerprint;
-    hex_fingerprint.reserve(fingerprint_size * 2);
-    for (size_t i = 0; i < fingerprint_size; ++i) {
-        char hex[3];
-        snprintf(hex, sizeof(hex), "%02x", fingerprint[i]);
-        hex_fingerprint += hex;
-    }
-
-    return hex_fingerprint;
+    populate_all_cert_fields();
+    return cache->client_cert_fingerprint_sha256;
 }
 
 time_t http_request::get_client_cert_not_before() const {
-    if (!has_tls_session()) {
-        return -1;
-    }
-
-    scoped_x509_cert cert;
-    if (!cert.init_from_session(get_tls_session())) {
-        return -1;
-    }
-
-    return gnutls_x509_crt_get_activation_time(cert.get());
+    populate_all_cert_fields();
+    return cache->client_cert_not_before;
 }
 
 time_t http_request::get_client_cert_not_after() const {
-    if (!has_tls_session()) {
-        return -1;
-    }
-
-    scoped_x509_cert cert;
-    if (!cert.init_from_session(get_tls_session())) {
-        return -1;
-    }
-
-    return gnutls_x509_crt_get_expiration_time(cert.get());
+    populate_all_cert_fields();
+    return cache->client_cert_not_after;
 }
 #endif  // HAVE_GNUTLS
 

src/http_utils.cpp

@@ -580,8 +580,8 @@ const char* http_utils::reason_phrase(unsigned int status_code) {
     return MHD_get_reason_phrase_for(status_code);
 }
 
-bool http_utils::is_feature_supported(int feature) {
-    return MHD_is_feature_supported(static_cast<MHD_FEATURE>(feature)) == MHD_YES;
+bool http_utils::is_feature_supported(enum MHD_FEATURE feature) {
+    return MHD_is_feature_supported(feature) == MHD_YES;
 }
 
 const char* http_utils::get_mhd_version() {

src/httpserver/http_request.hpp

@@ -38,6 +38,7 @@
 #include <limits>
 #include <map>
 #include <memory>
+
 #include <string>
 #include <utility>
 #include <vector>
@@ -320,7 +321,7 @@ class http_request {
          size_t userdigest_size,
          unsigned int nonce_timeout = 0,
          uint32_t max_nc = 0,
-         http::http_utils::digest_algorithm algo = http::http_utils::digest_algorithm::MD5) const;
+         http::http_utils::digest_algorithm algo = http::http_utils::digest_algorithm::SHA256) const;
 #endif  // HAVE_DAUTH
 
      friend std::ostream &operator<< (std::ostream &os, http_request &r);
@@ -382,6 +383,10 @@ class http_request {
      void fetch_user_pass() const;
 #endif  // HAVE_BAUTH
 
+#ifdef HAVE_GNUTLS
+     void populate_all_cert_fields() const;
+#endif  // HAVE_GNUTLS
+
      /**
       * Method used to set an argument value by key.
       * @param key The name identifying the argument
@@ -499,6 +504,17 @@ class http_request {
 
         bool args_populated = false;
         bool path_pieces_cached = false;
+
+#ifdef HAVE_GNUTLS
+        bool client_cert_fields_cached = false;
+        std::string client_cert_dn;
+        std::string client_cert_issuer_dn;
+        std::string client_cert_cn;
+        std::string client_cert_fingerprint_sha256;
+        time_t client_cert_not_before = static_cast<time_t>(-1);
+        time_t client_cert_not_after = static_cast<time_t>(-1);
+        bool client_cert_verified = false;
+#endif  // HAVE_GNUTLS
      };
      std::unique_ptr<http_request_data_cache> cache = std::make_unique<http_request_data_cache>();
      void ensure_path_pieces_cached() const {

src/httpserver/http_utils.hpp

@@ -291,7 +291,7 @@ class http_utils {
      static std::string sanitize_upload_filename(const std::string& filename);
 
      static const char* reason_phrase(unsigned int status_code);
-     static bool is_feature_supported(int feature);
+     static bool is_feature_supported(enum MHD_FEATURE feature);
      static const char* get_mhd_version();
 };