CLEANUP: ssl/cli: use a local context for "commit ssl cert"
This command only really uses old_ckchs, new_ckchs and next_ckchi
from the appctx's ssl context. The new structure "commit_cert_ctx"
only has these 3 fields, though none could be removed from the shared
ssl context since they're still used by other commands.
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 48127de..2f5eae2 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -84,6 +84,13 @@
int transaction;
};
+/* CLI context used by "commit cert" */
+struct commit_cert_ctx {
+ struct ckch_store *old_ckchs;
+ struct ckch_store *new_ckchs;
+ struct ckch_inst *next_ckchi;
+};
+
/******************** cert_key_and_chain functions *************************
@@ -1822,13 +1829,14 @@
/* release function of the `set ssl cert' command, free things and unlock the spinlock */
static void cli_release_commit_cert(struct appctx *appctx)
{
+ struct commit_cert_ctx *ctx = appctx->svcctx;
struct ckch_store *new_ckchs;
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
if (appctx->st2 != SETCERT_ST_FIN) {
/* free every new sni_ctx and the new store, which are not in the trees so no spinlock there */
- new_ckchs = appctx->ctx.ssl.new_ckchs;
+ new_ckchs = ctx->new_ckchs;
/* if the allocation failed, we need to free everything from the temporary list */
ckch_store_free(new_ckchs);
@@ -1994,6 +2002,7 @@
*/
static int cli_io_handler_commit_cert(struct appctx *appctx)
{
+ struct commit_cert_ctx *ctx = appctx->svcctx;
struct conn_stream *cs = appctx->owner;
int y = 0;
char *err = NULL;
@@ -2027,14 +2036,14 @@
* yield every 10 instances.
*/
- old_ckchs = appctx->ctx.ssl.old_ckchs;
- new_ckchs = appctx->ctx.ssl.new_ckchs;
+ old_ckchs = ctx->old_ckchs;
+ new_ckchs = ctx->new_ckchs;
if (!new_ckchs)
continue;
/* get the next ckchi to regenerate */
- ckchi = appctx->ctx.ssl.next_ckchi;
+ ckchi = ctx->next_ckchi;
/* we didn't start yet, set it to the first elem */
if (ckchi == NULL)
ckchi = LIST_ELEM(old_ckchs->ckch_inst.n, typeof(ckchi), by_ckchs);
@@ -2046,7 +2055,7 @@
/* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
if (y >= 10) {
/* save the next ckchi to compute */
- appctx->ctx.ssl.next_ckchi = ckchi;
+ ctx->next_ckchi = ckchi;
goto yield;
}
@@ -2064,8 +2073,8 @@
case SETCERT_ST_INSERT:
/* The generation is finished, we can insert everything */
- old_ckchs = appctx->ctx.ssl.old_ckchs;
- new_ckchs = appctx->ctx.ssl.new_ckchs;
+ old_ckchs = ctx->old_ckchs;
+ new_ckchs = ctx->new_ckchs;
if (!new_ckchs)
continue;
@@ -2117,6 +2126,7 @@
*/
static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appctx, void *private)
{
+ struct commit_cert_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
char *err = NULL;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
@@ -2153,9 +2163,9 @@
/* init the appctx structure */
appctx->st2 = SETCERT_ST_INIT;
- appctx->ctx.ssl.next_ckchi = NULL;
- appctx->ctx.ssl.new_ckchs = ckchs_transaction.new_ckchs;
- appctx->ctx.ssl.old_ckchs = ckchs_transaction.old_ckchs;
+ ctx->next_ckchi = NULL;
+ ctx->new_ckchs = ckchs_transaction.new_ckchs;
+ ctx->old_ckchs = ckchs_transaction.old_ckchs;
/* we don't unlock there, it will be unlock after the IO handler, in the release handler */
return 0;