Github user shinrich commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/1226#discussion_r94591982
--- Diff: iocore/net/P_SSLNetProcessor.h ---
@@ -63,6 +64,90 @@ struct SSLNetProcessor : public UnixNetProcessor {
return client_ctx;
}
+ // InsertCTX hashes on the absolute path to the client certificate file
and stores in the map
+ bool
+ InsertCTX(cchar *client_cert, SSL_CTX *cctx)
+ {
+ ink_mutex_acquire(&ctxMapLock);
+ if (client_cert == nullptr) {
+ ctx_map.put(nullptr, cctx);
+ return true;
+ }
+ // dup is required here to avoid the nullifying of the keys stored in
the map.
+ // client_cert is coming from the overridable clientcert config
retrieved by the remap plugin.
+ cchar *cert = ats_strdup(client_cert);
+ // Hashmap has no delete functionality :(
+ ctx_map.put(cert, cctx);
+ ink_mutex_release(&ctxMapLock);
+ return true;
+ }
+
+ void
+ printCTXmap()
+ {
+ Vec<cchar *> keys;
+ ctx_map.get_keys(keys);
+ for (size_t i = 0; i < keys.length(); i++)
+ Debug("ssl", "Client certificates in the map %s", keys.get(i));
+ }
+ void
+ freeCTXmap()
+ {
+ ink_mutex_acquire(&ctxMapLock);
+ Vec<cchar *> keys;
+ ctx_map.get_keys(keys);
+ size_t n = keys.length();
+ Debug("ssl", "freeing CTX Map");
+ for (size_t i = 0; i < n; i++) {
+ deleteKey(keys.get(i));
+ ats_free((char *)keys.get(i));
+ }
+ ctx_map.clear();
+ ink_mutex_release(&ctxMapLock);
+ }
+
+ void
+ deleteKey(cchar *key)
+ {
+ SSL_CTX_free((SSL_CTX *)ctx_map.get(key));
+ }
+ // creates a new context attaching the provided certificate
+ SSL_CTX *
+ getNewCTX(char *client_cert)
+ {
+ SSL_CTX *client_ctx = nullptr;
+
+ SSLConfig::scoped_config params;
+
+ client_ctx = SSLInitClientContext(params);
+ if (!client_ctx) {
+ SSLError("Can't initialize the SSL client, HTTPS in remap rules will
not function");
+ }
+ if (client_ctx && client_cert != nullptr) {
+ if (!SSL_CTX_use_certificate_chain_file(client_ctx, (const char
*)client_cert)) {
+ SSLError("failed to load client certificate from %s",
params->clientCertPath);
+ goto fail;
+ }
+ }
+ return client_ctx;
+ fail:
+ SSLReleaseContext(client_ctx);
+ ::exit(1);
+ }
+
+ // getCTX: returns the context attached to the given certificate
+ SSL_CTX *
+ getCTX(cchar *client_cert)
+ {
+ ink_mutex_acquire(&ctxMapLock);
+ if (client_cert == nullptr) {
+ return ctx_map.get(nullptr);
--- End diff --
Are we returning without dropping the mutex?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
