This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new e6231b3 Changed client context mapping to 2-level. Tested against a
TLS server to verify client context is created and found.
e6231b3 is described below
commit e6231b3faecafffa84f72bd3a82bcaf974b86a31
Author: dyrock <[email protected]>
AuthorDate: Thu Feb 21 17:06:41 2019 -0600
Changed client context mapping to 2-level. Tested against a TLS server to
verify client context is created and found.
---
iocore/net/P_SSLConfig.h | 10 +++++----
iocore/net/SSLConfig.cc | 54 +++++++++++++++++++++++++++++++++++++-----------
2 files changed, 48 insertions(+), 16 deletions(-)
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index df17866..14b7b9f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -120,10 +120,12 @@ struct SSLConfigParams : public ConfigInfo {
SSL_CTX *client_ctx;
- // Making this mutable since this is a updatable
- // cache on an otherwise immutable config object
- // The ctx_map owns the client SSL_CTX objects and is responseible for
cleaning them up
- mutable std::unordered_map<std::string, SSL_CTX *> ctx_map;
+ // Client contexts are held by 2-level map:
+ // The first level maps from CA bundle file&path to next level map;
+ // The second level maps from cert&key to actual SSL_CTX;
+ // The second level map owns the client SSL_CTX objects and is responsible
for cleaning them up
+ using CTX_MAP = std::unordered_map<std::string, SSL_CTX *>;
+ mutable std::unordered_map<std::string, CTX_MAP *> top_level_ctx_map;
mutable ink_mutex ctxMapLock;
SSL_CTX *getClientSSL_CTX(void) const;
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 1fd1955..26a65a4 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -670,12 +670,26 @@ SSL_CTX *
SSLConfigParams::getCTX(const char *client_cert, const char *key_file, const
char *ca_bundle_file, const char *ca_bundle_path) const
{
SSL_CTX *client_ctx = nullptr;
- std::string key;
- ts::bwprint(key, "{}:{}:{}:{}", client_cert, key_file, ca_bundle_file,
ca_bundle_path);
+ CTX_MAP *ctx_map = nullptr;
+ std::string top_level_key, ctx_key;
+ ts::bwprint(top_level_key, "{}:{}", ca_bundle_file, ca_bundle_path);
+ ts::bwprint(ctx_key, "{}:{}", client_cert, key_file, ca_bundle_file,
ca_bundle_path);
ink_mutex_acquire(&ctxMapLock);
- auto iter = ctx_map.find(key);
- if (iter != ctx_map.end()) {
+ // Do first level searching and create new CTX_MAP as second level if not
exists.
+ auto top_iter = top_level_ctx_map.find(top_level_key);
+ if (top_iter != top_level_ctx_map.end()) {
+ if (top_iter->second == nullptr) {
+ top_iter->second = new CTX_MAP;
+ }
+ ctx_map = top_iter->second;
+ } else {
+ ctx_map = new CTX_MAP;
+ top_level_ctx_map.insert(std::make_pair(top_level_key, ctx_map));
+ }
+ // Do second level searching and return client ctx if found
+ auto iter = ctx_map->find(ctx_key);
+ if (iter != ctx_map->end()) {
client_ctx = iter->second;
ink_mutex_release(&ctxMapLock);
return client_ctx;
@@ -717,12 +731,22 @@ SSLConfigParams::getCTX(const char *client_cert, const
char *key_file, const cha
}
ink_mutex_acquire(&ctxMapLock);
- iter = ctx_map.find(key);
- if (iter != ctx_map.end()) {
+ top_iter = top_level_ctx_map.find(top_level_key);
+ if (top_iter != top_level_ctx_map.end()) {
+ if (top_iter->second == nullptr) {
+ top_iter->second = new CTX_MAP;
+ }
+ ctx_map = top_iter->second;
+ } else {
+ ctx_map = new CTX_MAP;
+ top_level_ctx_map.insert(std::make_pair(top_level_key, ctx_map));
+ }
+ iter = ctx_map->find(ctx_key);
+ if (iter != ctx_map->end()) {
SSL_CTX_free(client_ctx);
client_ctx = iter->second;
} else {
- ctx_map.insert(std::make_pair(key, client_ctx));
+ ctx_map->insert(std::make_pair(ctx_key, client_ctx));
}
ink_mutex_release(&ctxMapLock);
return client_ctx;
@@ -738,11 +762,17 @@ void
SSLConfigParams::cleanupCTXTable()
{
ink_mutex_acquire(&ctxMapLock);
- auto iter = ctx_map.begin();
- while (iter != ctx_map.end()) {
- SSL_CTX_free(iter->second);
- ++iter;
+ CTX_MAP *ctx_map = nullptr;
+ for (auto &top_pair : top_level_ctx_map) {
+ ctx_map = top_pair.second;
+ if (ctx_map) {
+ for (auto &pair : (*ctx_map)) {
+ SSL_CTX_free(pair.second);
+ }
+ ctx_map->clear();
+ delete ctx_map;
+ }
}
- ctx_map.clear();
+ top_level_ctx_map.clear();
ink_mutex_release(&ctxMapLock);
}
