Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 821bb9beaa40b4793ad4617fdf4fdab5ad4a4c7b^! / . / include
commit821bb9beaa40b4793ad4617fdf4fdab5ad4a4c7b[log] [tgz]
authorEmeric Brun <ebrun@haproxy.com>Thu Jun 15 16:37:39 2017 +0200
committerWilly Tarreau <w@1wt.eu>Tue Oct 31 13:58:32 2017 +0100
treea5285d093c902207968a19bedfe1725aad643fe0
parent6b35e9bfbf0f37c8a584c7aabb475afb81b7008c [diff]
MAJOR: threads/ssl: Make SSL part thread-safe

First, OpenSSL is now initialized to be thread-safe. This is done by setting 2
callbacks. The first one is ssl_locking_function. It handles the locks and
unlocks. The second one is ssl_id_function. It returns the current thread
id. During the init step, we create as much as R/W locks as needed, ie the
number returned by CRYPTO_num_locks function.

Next, The reusable SSL session in the server context is now thread-local.

Shctx is now also initialized if HAProxy is started with several threads.

And finally, a global lock has been added to protect the LRU cache used to store
generated certificates. The function ssl_sock_get_generated_cert is now
deprecated because the retrieved certificate can be removed by another threads
in same time. Instead, a new function has been added,
ssl_sock_assign_generated_cert. It must be used to search a certificate in the
cache and set it immediatly if found.

diff --git a/include/common/hathreads.h b/include/common/hathreads.h
index 81c2aad..e23b687 100644
--- a/include/common/hathreads.h
+++ b/include/common/hathreads.h

@@ -158,6 +158,8 @@
 	PEER_LOCK,
 	BUF_WQ_LOCK,
 	STRMS_LOCK,
+	SSL_LOCK,
+	SSL_GEN_CERTS_LOCK,
 	LOCK_LABELS
 };
 struct lock_stat {
@@ -244,7 +246,7 @@
 					   "TASK_RQ", "TASK_WQ", "POOL",
 					   "LISTENER", "LISTENER_QUEUE", "PROXY", "SERVER",
 					   "UPDATED_SERVERS", "LBPRM", "SIGNALS", "STK_TABLE", "STK_SESS",
-					   "APPLETS", "PEER", "BUF_WQ", "STREAMS" };
+					   "APPLETS", "PEER", "BUF_WQ", "STREAMS", "SSL", "SSL_GEN_CERTS"};
 	int lbl;
 
 	for (lbl = 0; lbl < LOCK_LABELS; lbl++) {

diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 8f8d277..ce76849 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h

@@ -72,6 +72,7 @@
 void ssl_free_engines(void);
 
 SSL_CTX *ssl_sock_create_cert(struct connection *conn, const char *servername, unsigned int key);
+SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind_conf, SSL *ssl);
 SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_conf);
 int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf);
 unsigned int ssl_sock_generated_cert_key(const void *data, size_t len);

diff --git a/include/types/server.h b/include/types/server.h
index 31fb76f..4a31934 100644
--- a/include/types/server.h
+++ b/include/types/server.h

@@ -273,7 +273,7 @@
 	char *sni_expr;             /* Temporary variable to store a sample expression for SNI */
 	struct {
 		SSL_CTX *ctx;
-		SSL_SESSION *reused_sess;
+		SSL_SESSION **reused_sess;
 		char *ciphers;			/* cipher suite to use if non-null */
 		int options;			/* ssl options */
 		struct tls_version_filter methods;	/* ssl methods */