Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 16f45c87d5f9bf57fa4e7e71546bce352a727425^! / . / include
commit16f45c87d5f9bf57fa4e7e71546bce352a727425[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Fri Feb 16 11:23:49 2018 +0100
committerWilly Tarreau <w@1wt.eu>Mon Feb 19 14:15:38 2018 +0100
treecde3e079194089520ec2924e080a60e3924018dc
parent9ad9f3517ee9e4289a003941a49cf52bd06314e3 [diff]
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe

A TLS ticket keys file can be updated on the CLI and used in same time. So we
need to protect it to be sure all accesses are thread-safe. Because updates are
infrequent, a R/W lock has been used.

This patch must be backported in 1.8

diff --git a/include/common/hathreads.h b/include/common/hathreads.h
index 143cf2c..30009cc 100644
--- a/include/common/hathreads.h
+++ b/include/common/hathreads.h

@@ -291,6 +291,7 @@
 	EMAIL_ALERTS_LOCK,
 	PIPES_LOCK,
 	START_LOCK,
+	TLSKEYS_REF_LOCK,
 	LOCK_LABELS
 };
 struct lock_stat {
@@ -407,6 +408,7 @@
 	case EMAIL_ALERTS_LOCK:    return "EMAIL_ALERTS";
 	case PIPES_LOCK:           return "PIPES";
 	case START_LOCK:           return "START";
+	case TLSKEYS_REF_LOCK:     return "TLSKEYS_REF";
 	case LOCK_LABELS:          break; /* keep compiler happy */
 	};
 	/* only way to come here is consecutive to an internal bug */

diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index ce76849..ef03de6 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h

@@ -61,6 +61,7 @@
 int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
 #endif
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
+void ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref, struct chunk *tlskey);
 int ssl_sock_update_tlskey(char *filename, struct chunk *tlskey, char **err);
 struct tls_keys_ref *tlskeys_ref_lookup(const char *filename);
 struct tls_keys_ref *tlskeys_ref_lookupid(int unique_id);

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index 5bd76ba..c31a496 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h

@@ -25,6 +25,8 @@
 #include <openssl/ssl.h>
 #include <ebmbtree.h>
 
+#include <common/hathreads.h>
+
 struct sni_ctx {
 	SSL_CTX *ctx;             /* context associated to the certificate */
 	int order;                /* load order for the certificate */
@@ -54,6 +56,7 @@
 	int unique_id; /* Each pattern reference have unique id. */
 	struct tls_sess_key *tlskeys;
 	int tls_ticket_enc_index;
+	__decl_hathreads(HA_RWLOCK_T lock); /* lock used to protect the ref */
 };
 
 /* shared ssl session */