Repository: trafficserver Updated Branches: refs/heads/master 744eabae0 -> a5a93ac5a
TS-2437: add a lifecycle hook to expose loaded SSL certificates to plugins Add two new lifecycle hooks, TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK and TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK. The reason for these hooks is that I have a use case to manipulate (overwrite) the OpenSSL related callbacks in my plugin. I think it is also useful for applications who have a need to change or retrieve the SSL related attributes (callbacks, certs, configurations, etc). Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a5a93ac5 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a5a93ac5 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a5a93ac5 Branch: refs/heads/master Commit: a5a93ac5ac45b2ba810c4b3e8ce311cd23bf8ff2 Parents: 744eaba Author: Wei Sun <[email protected]> Authored: Mon Feb 24 15:10:50 2014 -0800 Committer: James Peach <[email protected]> Committed: Mon Feb 24 15:10:50 2014 -0800 ---------------------------------------------------------------------- CHANGES | 3 +++ iocore/net/P_SSLConfig.h | 4 ++++ iocore/net/SSLConfig.cc | 1 + iocore/net/SSLUtils.cc | 12 ++++++++++++ proxy/Main.cc | 17 ++++++++++++++++- proxy/api/ts/ts.h.in | 18 ++++++++++++++++++ 6 files changed, 54 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a5a93ac5/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 16463e3..f0bee49 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.0.0 + *) [TS-2437] Add a lifecycle hook to expose loaded SSL certificates to plugins. + Author: Wei Sun <[email protected]> + *) [TS-2582] Make traffic_cop debugging eadier by logging to stdout. *) [TS-2579] Remove ipv4 limit for FetchSM and TSFetchUrl/TSFetchPages. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a5a93ac5/iocore/net/P_SSLConfig.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index d7d98ce..6408de3 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -44,6 +44,8 @@ struct SSLCertLookup; ///////////////////////////////////////////////////////////// +typedef void (*init_ssl_ctx_func)(void *, bool); + struct SSLConfigParams : public ConfigInfo { enum SSL_SESSION_CACHE_MODE @@ -79,6 +81,8 @@ struct SSLConfigParams : public ConfigInfo static int ssl_maxrecord; static bool ssl_allow_client_renegotiation; + static init_ssl_ctx_func init_ssl_ctx_cb; + void initialize(); void cleanup(); }; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a5a93ac5/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index d86dbf3..0b2df26 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -43,6 +43,7 @@ int SSLConfig::configid = 0; int SSLCertificateConfig::configid = 0; int SSLConfigParams::ssl_maxrecord = 0; bool SSLConfigParams::ssl_allow_client_renegotiation = false; +init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = NULL; static ConfigUpdateHandler<SSLCertificateConfig> * sslCertUpdate; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a5a93ac5/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 474f456..ca1b82b 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -601,6 +601,10 @@ SSLInitClientContext(const SSLConfigParams * params) } } + if (SSLConfigParams::init_ssl_ctx_cb) { + SSLConfigParams::init_ssl_ctx_cb(client_ctx, false); + } + return client_ctx; fail: @@ -761,6 +765,10 @@ ssl_store_ssl_context( Debug("ssl", "importing SNI names from %s", (const char *)certpath); ssl_index_certificate(lookup, ctx, certpath); + if (SSLConfigParams::init_ssl_ctx_cb) { + SSLConfigParams::init_ssl_ctx_cb(ctx, true); + } + return true; } @@ -908,6 +916,10 @@ SSLParseCertificateConfiguration( #endif /* TS_USE_TLS_ALPN */ lookup->insert(lookup->ssl_default, "*"); + if (SSLConfigParams::init_ssl_ctx_cb) { + SSLConfigParams::init_ssl_ctx_cb(lookup->ssl_default, true); + } + } return true; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a5a93ac5/proxy/Main.cc ---------------------------------------------------------------------- diff --git a/proxy/Main.cc b/proxy/Main.cc index ddaf38c..32378fb 100644 --- a/proxy/Main.cc +++ b/proxy/Main.cc @@ -118,6 +118,7 @@ static const long MAX_LOGIN = sysconf(_SC_LOGIN_NAME_MAX) <= 0 ? _POSIX_LOGIN_N static void * mgmt_restart_shutdown_callback(void *, char *, int data_len); static void* mgmt_storage_device_cmd_callback(void* x, char* data, int len); +static void init_ssl_ctx_callback(void *ctx, bool server); static int version_flag = DEFAULT_VERSION_FLAG; @@ -1523,7 +1524,6 @@ main(int /* argc ATS_UNUSED */, char **argv) NetProcessor::accept_mss = accept_mss; netProcessor.start(0, stacksize); - sslNetProcessor.start(getNumSSLThreads(), stacksize); dnsProcessor.start(0, stacksize); if (hostDBProcessor.start() < 0) @@ -1535,6 +1535,9 @@ main(int /* argc ATS_UNUSED */, char **argv) // Init plugins as soon as logging is ready. plugin_init(); // plugin.config + + SSLConfigParams::init_ssl_ctx_cb = init_ssl_ctx_callback; + sslNetProcessor.start(getNumSSLThreads(), stacksize); pmgmt->registerPluginCallbacks(global_config_cbs); cacheProcessor.set_after_init_callback(&CB_After_Cache_Init); @@ -1699,3 +1702,15 @@ mgmt_storage_device_cmd_callback(void* data, char* arg, int len) } return NULL; } + +static void +init_ssl_ctx_callback(void *ctx, bool server) +{ + TSEvent event = server ? TS_EVENT_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED : TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED; + APIHook *hook = lifecycle_hooks->get(server ? TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK : TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK); + + while (hook) { + hook->invoke(event, ctx); + hook = hook->next(); + } +} http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a5a93ac5/proxy/api/ts/ts.h.in ---------------------------------------------------------------------- diff --git a/proxy/api/ts/ts.h.in b/proxy/api/ts/ts.h.in index 3d0c987..d65f3a2 100644 --- a/proxy/api/ts/ts.h.in +++ b/proxy/api/ts/ts.h.in @@ -310,6 +310,20 @@ extern "C" Event: TS_EVENT_LIFECYCLE_CACHE_READY + TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK + + called every time after a server SSL_CTX has finished the initialization. + It exposes the initialized SSL_CTX pointer. + + Event: TS_EVENT_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED + + TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK + + called once, after the client SSL_CTX has finished the initialization. + It exposes the initialized SSL_CTX pointer. + + Event: TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED + Ordering guarantees: - TS_LIFECYCLE_PORTS_INITIALIZED_HOOK before TS_LIFECYCLE_PORTS_READY_HOOK. @@ -322,6 +336,8 @@ extern "C" TS_LIFECYCLE_PORTS_INITIALIZED_HOOK, TS_LIFECYCLE_PORTS_READY_HOOK, TS_LIFECYCLE_CACHE_READY_HOOK, + TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK, + TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK, TS_LIFECYCLE_LAST_HOOK } TSLifecycleHookID; @@ -413,6 +429,8 @@ extern "C" TS_EVENT_LIFECYCLE_PORTS_INITIALIZED = 60018, TS_EVENT_LIFECYCLE_PORTS_READY = 60019, TS_EVENT_LIFECYCLE_CACHE_READY = 60020, + TS_EVENT_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED = 60021, + TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED = 60022, TS_EVENT_MGMT_UPDATE = 60100, /* EVENTS 60200 - 60202 for internal use */
