ip_representation::operator< + http_request_impl::populate_all_cert_fields

Two unrelated functions, both at CCN 18; refactor bundled because the
shape of each extraction is small.

ip_representation::operator< (CCN 18 -> 7):
  * accumulate_octet_score: shared "(16-i)*piece[i]" accumulator used
    by the main 0..15 sweep (skipping 10/11) and again for the 10..11
    tail. Pulls the two CHECK_BIT clauses out of three different sites.
  * is_v4_mapped_prefix_octet_pair: collapses the nested
    "((a == 0x00 || a == 0xFF) && (b == 0x00 || b == 0xFF))" check
    into a named predicate. The composite if at the top of operator<
    was contributing 8 boolean ops alone.

http_request_impl::populate_all_cert_fields (CCN 18 -> 5):
  * extract_x509_string: parameterised two-pass GnuTLS string getter
    (function pointer takes gnutls_x509_crt_get_dn or
    gnutls_x509_crt_get_issuer_dn -- same signature, identical wrapping).
  * extract_x509_common_name: get_dn_by_oid wrapper (separate because
    of the extra OID/index/flags parameters).
  * extract_x509_fingerprint_sha256: fingerprint hex-encode.
  * verify_peer_certificate: wraps gnutls_certificate_verify_peers2 and
    returns the verified bool.

populate_all_cert_fields now reads as a flat sequence: assign to each
pmr::string member via the per-field helper, then the two int64_t
validity times. The cross-allocator .assign(ptr, len) idiom is preserved.

Both refactors are HAVE_GNUTLS-gated in the case of cert handling;
local build skips it but the helpers still compile-test against the
operator< side of the change, and CI's GNUTLS-on lane exercises the
cert path end to end.

scripts/check-complexity.sh CCN_MAX ratcheted 19 -> 15 (new worst
offender is webserver::register_impl_ at CCN 14).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: etr

scripts/check-complexity.sh

@@ -27,7 +27,7 @@
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-CCN_MAX="${CCN_MAX:-19}"
+CCN_MAX="${CCN_MAX:-15}"
 
 # Prefer the standalone `lizard` entrypoint if it's on PATH; fall back to
 # `python3 -m lizard` which is what `pip install --user lizard` produces

src/http_request.cpp

@@ -484,90 +484,97 @@ bool http_request_impl::has_client_certificate() const {
     return (cert_list != nullptr && list_size > 0);
 }
 
-void http_request_impl::populate_all_cert_fields() const {
-    if (client_cert_fields_cached) {
-        return;
+namespace {
+
+// Two-pass GnuTLS string extractor: first call discovers the length,
+// second call fills the buffer. The DN APIs (get_dn / get_issuer_dn)
+// share this exact shape, so parameterising on the function pointer
+// dedupes the wrapping and keeps the surrounding ctor under the CCN
+// bar.
+using x509_string_getter = int (*)(gnutls_x509_crt_t, char*, size_t*);
+
+std::string extract_x509_string(gnutls_x509_crt_t cert,
+                                x509_string_getter getter) {
+    size_t size = 0;
+    getter(cert, nullptr, &size);
+    std::string buf(size, '\0');
+    if (getter(cert, buf.data(), &size) != GNUTLS_E_SUCCESS) return {};
+    if (!buf.empty() && buf.back() == '\0') buf.pop_back();
+    return buf;
+}
+
+std::string extract_x509_common_name(gnutls_x509_crt_t cert) {
+    size_t cn_size = 0;
+    gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
+                                  nullptr, &cn_size);
+    if (cn_size == 0) return {};
+    std::string cn(cn_size, '\0');
+    if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0,
+                                      cn.data(), &cn_size) != GNUTLS_E_SUCCESS) {
+        return {};
+    }
+    if (!cn.empty() && cn.back() == '\0') cn.pop_back();
+    return cn;
+}
+
+std::string extract_x509_fingerprint_sha256(gnutls_x509_crt_t cert) {
+    unsigned char fingerprint[32];
+    size_t fingerprint_size = sizeof(fingerprint);
+    if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA256, fingerprint,
+                                        &fingerprint_size) != GNUTLS_E_SUCCESS) {
+        return {};
+    }
+    std::string hex;
+    hex.reserve(fingerprint_size * 2);
+    for (size_t i = 0; i < fingerprint_size; ++i) {
+        char buf[3];
+        snprintf(buf, sizeof(buf), "%02x", fingerprint[i]);
+        hex += buf;
     }
+    return hex;
+}
+
+bool verify_peer_certificate(gnutls_session_t session) {
+    unsigned int status = 0;
+    if (gnutls_certificate_verify_peers2(session, &status) != GNUTLS_E_SUCCESS) {
+        return false;
+    }
+    return status == 0;
+}
+
+}  // namespace
 
+void http_request_impl::populate_all_cert_fields() const {
+    if (client_cert_fields_cached) return;
     client_cert_fields_cached = true;
 
     gnutls_session_t session = nullptr;
-    if (has_tls_session()) {
-        session = get_tls_session();
-    }
+    if (has_tls_session()) session = get_tls_session();
 
     scoped_x509_cert cert;
-    if (session != nullptr) {
-        cert.init_from_session(session);
-    }
+    if (session != nullptr) cert.init_from_session(session);
 
     if (!cert.is_valid()) {
         // Default values (empty strings and -1) are already set by the
         // impl member initializers; client_cert_verified defaults to false.
         return;
     }
 
-    // Client certificate verification
-    {
-        unsigned int status = 0;
-        if (gnutls_certificate_verify_peers2(session, &status) == GNUTLS_E_SUCCESS) {
-            client_cert_verified = (status == 0);
-        }
-    }
+    client_cert_verified = verify_peer_certificate(session);
 
-    // Subject DN
-    {
-        size_t dn_size = 0;
-        gnutls_x509_crt_get_dn(cert.get(), nullptr, &dn_size);
-        std::string dn(dn_size, '\0');
-        if (gnutls_x509_crt_get_dn(cert.get(), &dn[0], &dn_size) == GNUTLS_E_SUCCESS) {
-            if (!dn.empty() && dn.back() == '\0') dn.pop_back();
-            // pmr::string has no cross-allocator copy-assign, so we
-            // assign through the .assign(ptr, len) overload.
-            client_cert_dn.assign(dn.data(), dn.size());
-        }
-    }
+    // pmr::string has no cross-allocator copy-assign, so we route every
+    // assignment through .assign(ptr, len).
+    auto subject_dn = extract_x509_string(cert.get(), gnutls_x509_crt_get_dn);
+    client_cert_dn.assign(subject_dn.data(), subject_dn.size());
 
-    // Issuer DN
-    {
-        size_t dn_size = 0;
-        gnutls_x509_crt_get_issuer_dn(cert.get(), nullptr, &dn_size);
-        std::string dn(dn_size, '\0');
-        if (gnutls_x509_crt_get_issuer_dn(cert.get(), &dn[0], &dn_size) == GNUTLS_E_SUCCESS) {
-            if (!dn.empty() && dn.back() == '\0') dn.pop_back();
-            client_cert_issuer_dn.assign(dn.data(), dn.size());
-        }
-    }
+    auto issuer_dn = extract_x509_string(cert.get(), gnutls_x509_crt_get_issuer_dn);
+    client_cert_issuer_dn.assign(issuer_dn.data(), issuer_dn.size());
 
-    // Common Name
-    {
-        size_t cn_size = 0;
-        gnutls_x509_crt_get_dn_by_oid(cert.get(), GNUTLS_OID_X520_COMMON_NAME, 0, 0, nullptr, &cn_size);
-        if (cn_size > 0) {
-            std::string cn(cn_size, '\0');
-            if (gnutls_x509_crt_get_dn_by_oid(cert.get(), GNUTLS_OID_X520_COMMON_NAME, 0, 0, &cn[0], &cn_size) == GNUTLS_E_SUCCESS) {
-                if (!cn.empty() && cn.back() == '\0') cn.pop_back();
-                client_cert_cn.assign(cn.data(), cn.size());
-            }
-        }
-    }
+    auto cn = extract_x509_common_name(cert.get());
+    client_cert_cn.assign(cn.data(), cn.size());
 
-    // SHA-256 fingerprint
-    {
-        unsigned char fingerprint[32];
-        size_t fingerprint_size = sizeof(fingerprint);
-        if (gnutls_x509_crt_get_fingerprint(cert.get(), GNUTLS_DIG_SHA256, fingerprint, &fingerprint_size) == GNUTLS_E_SUCCESS) {
-            std::string hex_fingerprint;
-            hex_fingerprint.reserve(fingerprint_size * 2);
-            for (size_t i = 0; i < fingerprint_size; ++i) {
-                char hex[3];
-                snprintf(hex, sizeof(hex), "%02x", fingerprint[i]);
-                hex_fingerprint += hex;
-            }
-            client_cert_fingerprint_sha256.assign(hex_fingerprint.data(),
-                                                  hex_fingerprint.size());
-        }
-    }
+    auto fp = extract_x509_fingerprint_sha256(cert.get());
+    client_cert_fingerprint_sha256.assign(fp.data(), fp.size());
 
     // Validity times. The GnuTLS API returns std::time_t; we cast to
     // int64_t so the public accessors can return a fixed-width type

src/http_utils.cpp

@@ -540,30 +540,43 @@ ip_representation::ip_representation(const std::string& ip) {
     }
 }
 
+namespace {
+
+// Add (16 - i) * piece[i] for both ip representations when both have
+// the i-th octet masked in. Pulled out of operator< so the surrounding
+// function stays below the CCN bar.
+void accumulate_octet_score(const ip_representation& a,
+                            const ip_representation& b, int i,
+                            int64_t& a_score, int64_t& b_score) {
+    if (!(CHECK_BIT(a.mask, i) && CHECK_BIT(b.mask, i))) return;
+    a_score += (16 - i) * a.pieces[i];
+    b_score += (16 - i) * b.pieces[i];
+}
+
+// True when both v4-mapped-prefix octets on a and b are 0x00 or 0xFF.
+// Mirrors the "::ffff:" / "::"-prefix invariant from parse_nested_ipv4.
+bool is_v4_mapped_prefix_octet_pair(uint16_t a, uint16_t b) {
+    return (a == 0x00 || a == 0xFF) && (b == 0x00 || b == 0xFF);
+}
+
+}  // namespace
+
 bool ip_representation::operator <(const ip_representation& b) const {
     int64_t this_score = 0;
     int64_t b_score = 0;
     for (int i = 0; i < 16; i++) {
         if (i == 10 || i == 11) continue;
-
-        if (CHECK_BIT(mask, i) && CHECK_BIT(b.mask, i)) {
-            this_score += (16 - i) * pieces[i];
-            b_score += (16 - i) * b.pieces[i];
-        }
+        accumulate_octet_score(*this, b, i, this_score, b_score);
     }
 
-    if (this_score == b_score &&
-            ((pieces[10] == 0x00 || pieces[10] == 0xFF) && (b.pieces[10] == 0x00 || b.pieces[10] == 0xFF)) &&
-            ((pieces[11] == 0x00 || pieces[11] == 0xFF) && (b.pieces[11] == 0x00 || b.pieces[11] == 0xFF))) {
+    if (this_score == b_score
+            && is_v4_mapped_prefix_octet_pair(pieces[10], b.pieces[10])
+            && is_v4_mapped_prefix_octet_pair(pieces[11], b.pieces[11])) {
         return false;
     }
 
-    for (int i = 10; i < 12; i++) {
-        if (CHECK_BIT(mask, i) && CHECK_BIT(b.mask, i)) {
-            this_score += (16 - i) * pieces[i];
-            b_score += (16 - i) * b.pieces[i];
-        }
-    }
+    accumulate_octet_score(*this, b, 10, this_score, b_score);
+    accumulate_octet_score(*this, b, 11, this_score, b_score);
 
     return this_score < b_score;
 }