BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe
A TLS ticket keys file can be updated on the CLI and used in same time. So we
need to protect it to be sure all accesses are thread-safe. Because updates are
infrequent, a R/W lock has been used.
This patch must be backported in 1.8
diff --git a/include/common/hathreads.h b/include/common/hathreads.h
index 143cf2c..30009cc 100644
--- a/include/common/hathreads.h
+++ b/include/common/hathreads.h
@@ -291,6 +291,7 @@
EMAIL_ALERTS_LOCK,
PIPES_LOCK,
START_LOCK,
+ TLSKEYS_REF_LOCK,
LOCK_LABELS
};
struct lock_stat {
@@ -407,6 +408,7 @@
case EMAIL_ALERTS_LOCK: return "EMAIL_ALERTS";
case PIPES_LOCK: return "PIPES";
case START_LOCK: return "START";
+ case TLSKEYS_REF_LOCK: return "TLSKEYS_REF";
case LOCK_LABELS: break; /* keep compiler happy */
};
/* only way to come here is consecutive to an internal bug */
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index ce76849..ef03de6 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -61,6 +61,7 @@
int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
#endif
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
+void ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref, struct chunk *tlskey);
int ssl_sock_update_tlskey(char *filename, struct chunk *tlskey, char **err);
struct tls_keys_ref *tlskeys_ref_lookup(const char *filename);
struct tls_keys_ref *tlskeys_ref_lookupid(int unique_id);
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index 5bd76ba..c31a496 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -25,6 +25,8 @@
#include <openssl/ssl.h>
#include <ebmbtree.h>
+#include <common/hathreads.h>
+
struct sni_ctx {
SSL_CTX *ctx; /* context associated to the certificate */
int order; /* load order for the certificate */
@@ -54,6 +56,7 @@
int unique_id; /* Each pattern reference have unique id. */
struct tls_sess_key *tlskeys;
int tls_ticket_enc_index;
+ __decl_hathreads(HA_RWLOCK_T lock); /* lock used to protect the ref */
};
/* shared ssl session */