BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases
'add ssl crt-list' command is also concerned. This patch is similar to the
previous ones. Full buffer cases when we try to push the reply are not
properly handled. To fix the issue, the functions responsible to add a
crt-list entry were reworked.
First, the error message is now part of the service context. This way, if we
cannot push the error message in the reponse buffer, we may retry later. To
do so, a dedicated state was created (ADDCRT_ST_ERROR,). Then, the success
message is also handled in a dedicated state (ADDCRT_ST_SUCCESS). This way
we are able to retry to push it if necessary. Finally, the dot displayed for
each new instance is now immediatly pushed in the response buffer, and
before the update. This way, we are able to retry too if necessary.
This patch should fix the issue #1724. It must be backported as far as
2.2. But a massive refactoring was performed in 2.6. So, for the 2.5 and
below, the patch will have to be adapted.
(cherry picked from commit c642d7c131fe0cc29a5cd1feedef05e27a390403)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit ba2123e59358b45718afac390237a169fcb9a3b1)
[cf: As expected, the patch was highly adapted]]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 76d2b2c795d7069c2ffd9825cccd36da8d7d604a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 6b400e2..95758bb 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -1012,8 +1012,9 @@
{
struct crtlist_entry *entry = appctx->ctx.cli.p1;
- if (appctx->st2 != SETCERT_ST_FIN) {
+ if (entry) {
struct ckch_inst *inst, *inst_s;
+
/* upon error free the ckch_inst and everything inside */
ebpt_delete(&entry->node);
LIST_DELETE(&entry->by_crtlist);
@@ -1027,8 +1028,8 @@
free(entry->ssl_conf);
free(entry);
}
-
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
+ ha_free(&appctx->ctx.cli.err);
}
@@ -1045,30 +1046,23 @@
struct crtlist *crtlist = appctx->ctx.cli.p0;
struct crtlist_entry *entry = appctx->ctx.cli.p1;
struct ckch_store *store = entry->node.key;
- struct buffer *trash = alloc_trash_chunk();
struct ckch_inst *new_inst;
- char *err = NULL;
int i = 0;
int errcode = 0;
- if (trash == NULL)
- goto error;
-
/* for each bind_conf which use the crt-list, a new ckch_inst must be
* created.
*/
if (unlikely(si_ic(si)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
- goto error;
+ goto end;
while (1) {
switch (appctx->st2) {
case SETCERT_ST_INIT:
/* This state just print the update message */
- chunk_printf(trash, "Inserting certificate '%s' in crt-list '%s'", store->path, crtlist->node.key);
- if (ci_putchk(si_ic(si), trash) == -1) {
- si_rx_room_blk(si);
+ chunk_printf(&trash, "Inserting certificate '%s' in crt-list '%s'", store->path, crtlist->node.key);
+ if (ci_putchk(si_ic(si), &trash) == -1)
goto yield;
- }
appctx->st2 = SETCERT_ST_GEN;
/* fallthrough */
case SETCERT_ST_GEN:
@@ -1079,28 +1073,39 @@
struct bind_conf *bind_conf = bind_conf_node->bind_conf;
struct sni_ctx *sni;
+ appctx->ctx.cli.p2 = bind_conf_node;
+
/* yield every 10 generations */
if (i > 10) {
- appctx->ctx.cli.p2 = bind_conf_node;
+ si_rx_endp_more(si); /* let's come back later */
goto yield;
}
+ /* display one dot for each new instance */
+ if (ci_putstr(si_ic(si), ".") == -1)
+ goto yield;
+
/* we don't support multi-cert bundles, only simple ones */
- errcode |= ckch_inst_new_load_store(store->path, store, bind_conf, entry->ssl_conf, entry->filters, entry->fcount, &new_inst, &err);
- if (errcode & ERR_CODE)
+ appctx->ctx.cli.err = NULL;
+ errcode |= ckch_inst_new_load_store(store->path, store, bind_conf, entry->ssl_conf, entry->filters, entry->fcount, &new_inst, &appctx->ctx.cli.err);
+ if (errcode & ERR_CODE) {
+ appctx->st2 = SETCERT_ST_ERROR;
goto error;
+ }
/* we need to initialize the SSL_CTX generated */
/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
list_for_each_entry(sni, &new_inst->sni_ctx, by_ckch_inst) {
if (!sni->order) { /* we initialized only the first SSL_CTX because it's the same in the other sni_ctx's */
- errcode |= ssl_sock_prepare_ctx(bind_conf, new_inst->ssl_conf, sni->ctx, &err);
- if (errcode & ERR_CODE)
+ appctx->ctx.cli.err = NULL;
+ errcode |= ssl_sock_prepare_ctx(bind_conf, new_inst->ssl_conf, sni->ctx, &appctx->ctx.cli.err);
+ if (errcode & ERR_CODE) {
+ appctx->st2 = SETCERT_ST_ERROR;
goto error;
+ }
}
}
- /* display one dot for each new instance */
- chunk_appendf(trash, ".");
+
i++;
LIST_APPEND(&store->ckch_inst, &new_inst->by_ckchs);
LIST_APPEND(&entry->ckch_inst, &new_inst->by_crtlist_entry);
@@ -1116,39 +1121,38 @@
HA_RWLOCK_WRUNLOCK(SNI_LOCK, &new_inst->bind_conf->sni_lock);
}
entry->linenum = ++crtlist->linecount;
+ appctx->ctx.cli.p1 = NULL;
+ appctx->st2 = SETCERT_ST_SUCCESS;
+ /* fallthrough */
+ case SETCERT_ST_SUCCESS:
+ chunk_reset(&trash);
+ chunk_appendf(&trash, "\n");
+ if (appctx->ctx.cli.err)
+ chunk_appendf(&trash, "%s", appctx->ctx.cli.err);
+ chunk_appendf(&trash, "Success!\n");
+ if (ci_putchk(si_ic(si), &trash) == -1)
+ goto yield;
appctx->st2 = SETCERT_ST_FIN;
goto end;
+
+ case SETCERT_ST_ERROR:
+ error:
+ chunk_printf(&trash, "\n%sFailed!\n", appctx->ctx.cli.err);
+ if (ci_putchk(si_ic(si), &trash) == -1)
+ goto yield;
+ goto end;
+
+ default:
+ goto end;
}
}
end:
- chunk_appendf(trash, "\n");
- if (errcode & ERR_WARN)
- chunk_appendf(trash, "%s", err);
- chunk_appendf(trash, "Success!\n");
- if (ci_putchk(si_ic(si), trash) == -1)
- si_rx_room_blk(si);
- free_trash_chunk(trash);
/* success: call the release function and don't come back */
return 1;
yield:
- /* store the state */
- if (ci_putchk(si_ic(si), trash) == -1)
- si_rx_room_blk(si);
- free_trash_chunk(trash);
- si_rx_endp_more(si); /* let's come back later */
+ si_rx_room_blk(si);
return 0; /* should come back */
-
-error:
- /* spin unlock and free are done in the release function */
- if (trash) {
- chunk_appendf(trash, "\n%sFailed!\n", err);
- if (ci_putchk(si_ic(si), trash) == -1)
- si_rx_room_blk(si);
- free_trash_chunk(trash);
- }
- /* error: call the release function and don't come back */
- return 1;
}