MINOR: ssl: Allow duplicated entries in the cafile_tree
In order to ease ca-file hot update via the CLI, the ca-file tree will
need to allow duplicate entries for a given path. This patch simply
enables it and offers a way to select either the oldest entry or the
latest entry in the tree for a given path.
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 41bc7e1..c8f0f2f 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -923,18 +923,42 @@
/******************** ssl_store functions ******************************/
-struct eb_root cafile_tree = EB_ROOT_UNIQUE;
+struct eb_root cafile_tree = EB_ROOT;
-X509_STORE* ssl_store_get0_locations_file(char *path)
+/*
+ * Returns the cafile_entry found in the cafile_tree indexed by the path 'path'.
+ * If 'oldest_entry' is 1, returns the "original" cafile_entry (since
+ * during a set cafile/commit cafile cycle there might be two entries for any
+ * given path, the original one and the new one set via the CLI but not
+ * committed yet).
+ */
+static struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry)
{
+ struct cafile_entry *ca_e = NULL;
struct ebmb_node *eb;
eb = ebst_lookup(&cafile_tree, path);
- if (eb) {
- struct cafile_entry *ca_e;
+ while (eb) {
ca_e = ebmb_entry(eb, struct cafile_entry, node);
- return ca_e->ca_store;
+ /* The ebst_lookup in a tree that has duplicates returns the
+ * oldest entry first. If we want the latest entry, we need to
+ * iterate over all the duplicates until we find the last one
+ * (in our case there should never be more than two entries for
+ * any given path). */
+ if (oldest_entry)
+ return ca_e;
+ eb = ebmb_next_dup(eb);
}
+ return ca_e;
+}
+
+X509_STORE* ssl_store_get0_locations_file(char *path)
+{
+ struct cafile_entry *ca_e = ssl_store_get_cafile_entry(path, 0);
+
+ if (ca_e)
+ return ca_e->ca_store;
+
return NULL;
}