maskit commented on code in PR #13284:
URL: https://github.com/apache/trafficserver/pull/13284#discussion_r3424029509
##########
src/iocore/net/TLSCertCompression.cc:
##########
@@ -97,8 +97,105 @@ find_algorithm(std::string const &name)
} // end anonymous namespace
#endif
+#if HAVE_SSL_CTX_ADD_CERT_COMPRESSION_ALG
+static int cert_compress_cache_index = -1;
+
+static void
+cert_compress_cache_free_cb(void * /* parent */, void *ptr, CRYPTO_EX_DATA *
/* ad */, int /* idx */, long /* argl */,
+ void * /* argp */)
+{
+ auto *cache = static_cast<CertCompressionCache *>(ptr);
+ if (cache) {
+ for (auto &slot : cache->slots) {
+ delete slot.live.load(std::memory_order_acquire);
+ delete slot.retired.load(std::memory_order_acquire);
+ }
+ delete cache;
+ }
+}
+
+void
+cert_compress_cache_init()
+{
+ if (cert_compress_cache_index != -1) {
+ return;
+ }
+ cert_compress_cache_index = SSL_CTX_get_ex_new_index(0, nullptr, nullptr,
nullptr, cert_compress_cache_free_cb);
+}
+
+CertCompressionCache *
+cert_compress_cache_get(SSL_CTX *ctx)
+{
+ if (cert_compress_cache_index < 0) {
+ return nullptr;
+ }
+ return static_cast<CertCompressionCache *>(SSL_CTX_get_ex_data(ctx,
cert_compress_cache_index));
+}
+
+static void
+cert_compress_cache_attach(SSL_CTX *ctx)
+{
+ if (cert_compress_cache_index < 0) {
+ return;
+ }
+ auto *cache = new CertCompressionCache();
+ SSL_CTX_set_ex_data(ctx, cert_compress_cache_index, cache);
+}
+
+void
+cert_compress_cache_try_publish(CertCompressionCache::Slot &slot,
CertCompressionCache::Entry const *fresh)
+{
+ CertCompressionCache::Entry const *expected = nullptr;
+ if (!slot.live.compare_exchange_strong(expected, fresh,
std::memory_order_acq_rel)) {
+ delete fresh;
+ }
+}
+
+void
+cert_compress_cache_invalidate(SSL_CTX *ctx)
+{
+ auto *cache = cert_compress_cache_get(ctx);
+ if (!cache) {
+ return;
+ }
+ for (auto &slot : cache->slots) {
+ auto const *prev = slot.live.exchange(nullptr,
std::memory_order_acq_rel);
+ auto const *to_free = slot.retired.exchange(prev,
std::memory_order_acq_rel);
+ delete to_free;
+ }
Review Comment:
Unreachable on BoringSSL since HAVE_NATIVE_DUAL_CERT_SUPPORT is off — one
SSL_CTX per cert, so ocsp_update can't invalidate the same SSL_CTX twice in one
tick. If that invariant ever changes, a one-line `if (prev != nullptr)` guard
closes the window without needing RCU.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]