[trafficserver] branch master updated (718bef4 -> fb0bf03)
This is an automated email from the ASF dual-hosted git repository. oknet pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 718bef4 Treat objects with negative max-age CC directives as stale. (#7260) add fb0bf03 Bugfix: set a default inactivity timeout only if a read or write I/O operation was set (#7226) No new revisions were added by this update. Summary of changes: iocore/net/UnixNet.cc | 5 - 1 file changed, 4 insertions(+), 1 deletion(-)
[trafficserver] branch master updated (c83f7e1 -> 718bef4)
This is an automated email from the ASF dual-hosted git repository. bneradt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from c83f7e1 Remove some usless defines, which just obsfucates code (#7252) add 718bef4 Treat objects with negative max-age CC directives as stale. (#7260) No new revisions were added by this update. Summary of changes: proxy/http/HttpTransact.cc | 23 +- tests/gold_tests/cache/cache-control.test.py | 24 ++ .../cache/replay/cache-control-max-age.replay.yaml | 360 + 3 files changed, 405 insertions(+), 2 deletions(-) create mode 100644 tests/gold_tests/cache/replay/cache-control-max-age.replay.yaml
[trafficserver] branch 9.0.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new d2aa989 Updated ChangeLog d2aa989 is described below commit d2aa9893c731f890531ec6b1fc625fd863f11698 Author: Leif Hedstrom AuthorDate: Thu Oct 8 14:41:44 2020 -0600 Updated ChangeLog --- CHANGELOG-9.0.0 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG-9.0.0 b/CHANGELOG-9.0.0 index 14acf4b..f03a770 100644 --- a/CHANGELOG-9.0.0 +++ b/CHANGELOG-9.0.0 @@ -1107,6 +1107,9 @@ Changes with Apache Traffic Server 9.0.0 #7215 - Log config reload: use new config for initialization #7218 - Stop crash on disk failure #7219 - Ensure that ca override does not get lost + #7222 - Running autopep8 on the 9.0.x branch. #7224 - Fix renamed setting in default config #7225 - Increment ssl_error_syscall only if not EOF + #7238 - Supporting out of source builds for AuTests. #7243 - RolledLogDeleter: do not sort on each candidate consideration. + #7252 - Remove some useless defines, which just obfuscates code
[trafficserver] branch master updated (e6e6ca2 -> c83f7e1)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from e6e6ca2 Remove useless if for port set assertion. (#7250) add c83f7e1 Remove some usless defines, which just obsfucates code (#7252) No new revisions were added by this update. Summary of changes: proxy/hdrs/HdrToken.cc| 2 +- proxy/hdrs/HdrToken.h | 6 -- proxy/hdrs/MIME.h | 2 +- proxy/http/HttpTransactHeaders.cc | 6 +++--- 4 files changed, 5 insertions(+), 11 deletions(-)
[trafficserver] branch 9.0.x updated: Remove some usless defines, which just obsfucates code (#7252)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new eca77eb Remove some usless defines, which just obsfucates code (#7252) eca77eb is described below commit eca77eb1b20d27727d9cd45d3f5c5a23f2eb1014 Author: Leif Hedstrom AuthorDate: Thu Oct 8 14:37:01 2020 -0600 Remove some usless defines, which just obsfucates code (#7252) (cherry picked from commit c83f7e17182af2755ca5479754a70c8491f62170) --- proxy/hdrs/HdrToken.cc| 2 +- proxy/hdrs/HdrToken.h | 6 -- proxy/hdrs/MIME.h | 2 +- proxy/http/HttpTransactHeaders.cc | 6 +++--- 4 files changed, 5 insertions(+), 11 deletions(-) diff --git a/proxy/hdrs/HdrToken.cc b/proxy/hdrs/HdrToken.cc index fcfc5c6..5ea3b4f 100644 --- a/proxy/hdrs/HdrToken.cc +++ b/proxy/hdrs/HdrToken.cc @@ -466,7 +466,7 @@ hdrtoken_init() prefix.wks_info.name = nullptr; // default, can override later prefix.wks_info.slotid = MIME_SLOTID_NONE;// default, can override later prefix.wks_info.mask = TOK_64_CONST(0); // default, can override later - prefix.wks_info.flags = MIME_FLAGS_MULTVALS; // default, can override later + prefix.wks_info.flags = HTIF_MULTVALS; // default, can override later int sstr_len = snap_up_to_multiple(hdrtoken_str_lengths[i] + 1, sizeof(HdrTokenHeapPrefix)); diff --git a/proxy/hdrs/HdrToken.h b/proxy/hdrs/HdrToken.h index 0368052..dc3f34f 100644 --- a/proxy/hdrs/HdrToken.h +++ b/proxy/hdrs/HdrToken.h @@ -85,12 +85,6 @@ enum HdrTokenInfoFlags { HTIF_PROXYAUTH = 1 << 3 }; -#define MIME_FLAGS_NONE HTIF_NONE -#define MIME_FLAGS_COMMAS HTIF_COMMAS -#define MIME_FLAGS_MULTVALS HTIF_MULTVALS -#define MIME_FLAGS_HOPBYHOP HTIF_HOPBYHOP -#define MIME_FLAGS_PROXYAUTH HTIF_PROXYAUTH - extern DFA *hdrtoken_strs_dfa; extern int hdrtoken_num_wks; diff --git a/proxy/hdrs/MIME.h b/proxy/hdrs/MIME.h index b15d665..bce38ae 100644 --- a/proxy/hdrs/MIME.h +++ b/proxy/hdrs/MIME.h @@ -136,7 +136,7 @@ struct MIMEField { supports_commas() const { if (m_wks_idx >= 0) { - return (hdrtoken_index_to_flags(m_wks_idx) & MIME_FLAGS_COMMAS); + return (hdrtoken_index_to_flags(m_wks_idx) & HTIF_COMMAS); } return true; // by default, assume supports commas } diff --git a/proxy/http/HttpTransactHeaders.cc b/proxy/http/HttpTransactHeaders.cc index 07dcf74..71065ff 100644 --- a/proxy/http/HttpTransactHeaders.cc +++ b/proxy/http/HttpTransactHeaders.cc @@ -62,7 +62,7 @@ HttpTransactHeaders::is_this_a_hop_by_hop_header(const char *field_name) if (!hdrtoken_is_wks(field_name)) { return (false); } - if ((hdrtoken_wks_to_flags(field_name) & MIME_FLAGS_HOPBYHOP) && (field_name != MIME_FIELD_KEEP_ALIVE)) { + if ((hdrtoken_wks_to_flags(field_name) & HTIF_HOPBYHOP) && (field_name != MIME_FIELD_KEEP_ALIVE)) { return (true); } else { return (false); @@ -228,9 +228,9 @@ HttpTransactHeaders::copy_header_fields(HTTPHdr *src_hdr, HTTPHdr *new_hdr, bool int field_flags = hdrtoken_index_to_flags(field->m_wks_idx); -if (field_flags & MIME_FLAGS_HOPBYHOP) { +if (field_flags & HTIF_HOPBYHOP) { // Delete header if not in special proxy_auth retention mode - if ((!retain_proxy_auth_hdrs) || (!(field_flags & MIME_FLAGS_PROXYAUTH))) { + if ((!retain_proxy_auth_hdrs) || (!(field_flags & HTIF_PROXYAUTH))) { new_hdr->field_delete(field); } } else if (field->m_wks_idx == MIME_WKSIDX_DATE) {
[trafficserver] branch 9.0.x updated: Running autopep8 on the 9.0.x branch. (#7222)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 84636d8 Running autopep8 on the 9.0.x branch. (#7222) 84636d8 is described below commit 84636d8280b650d0cfc858e943747f404c1035bc Author: Brian Neradt AuthorDate: Thu Oct 8 15:36:19 2020 -0500 Running autopep8 on the 9.0.x branch. (#7222) Co-authored-by: bneradt --- tests/gold_tests/autest-site/copy_config.test.ext | 2 +- tests/gold_tests/autest-site/microserver.test.ext | 10 -- tests/gold_tests/autest-site/trafficserver.test.ext | 5 +++-- tests/gold_tests/command_argument/verify_remap_plugin.test.py | 6 -- tests/gold_tests/continuations/double.test.py | 2 +- tests/gold_tests/continuations/double_h2.test.py | 2 +- tests/gold_tests/continuations/openclose.test.py | 2 +- tests/gold_tests/continuations/openclose_h2.test.py | 2 +- tests/gold_tests/tls/tls_hooks_verify.test.py | 7 ++- 9 files changed, 26 insertions(+), 12 deletions(-) diff --git a/tests/gold_tests/autest-site/copy_config.test.ext b/tests/gold_tests/autest-site/copy_config.test.ext index 72a9ba6..d710240 100755 --- a/tests/gold_tests/autest-site/copy_config.test.ext +++ b/tests/gold_tests/autest-site/copy_config.test.ext @@ -34,7 +34,7 @@ class CopyATSConfig(SetupItem): process = self.process if self.process else self try: ts_dir = process.Env['TS_ROOT'] -except: +except BaseException: if self.process: raise SetupError( 'TS_ROOT is not defined. Cannot copy ats config file without location to copy to.' diff --git a/tests/gold_tests/autest-site/microserver.test.ext b/tests/gold_tests/autest-site/microserver.test.ext index 5be699b..e5c9c25 100644 --- a/tests/gold_tests/autest-site/microserver.test.ext +++ b/tests/gold_tests/autest-site/microserver.test.ext @@ -59,8 +59,14 @@ def getHeaderFieldVal(request_header, field): # addResponse adds customized response with respect to request_header. request_header and response_header are both dictionaries def addResponse(self, filename, request_header, response_header): -client_request = Request.fromRequestLine(request_header["headers"], request_header["body"], None if "options" not in request_header else request_header["options"]) -server_response = Response.fromRequestLine(response_header["headers"], response_header["body"], None if "options" not in response_header else response_header["options"]) +client_request = Request.fromRequestLine( +request_header["headers"], +request_header["body"], +None if "options" not in request_header else request_header["options"]) +server_response = Response.fromRequestLine( +response_header["headers"], +response_header["body"], +None if "options" not in response_header else response_header["options"]) # timestamp field is left None because that needs to be revised for better implementation txn = Transaction(client_request, None, server_response, None, None, None) diff --git a/tests/gold_tests/autest-site/trafficserver.test.ext b/tests/gold_tests/autest-site/trafficserver.test.ext index 423af0f..8c3a7e4 100755 --- a/tests/gold_tests/autest-site/trafficserver.test.ext +++ b/tests/gold_tests/autest-site/trafficserver.test.ext @@ -63,7 +63,7 @@ def MakeATSProcess(obj, name, command='traffic_server', select_ports=True, enabl p = obj.Processes.Process(name, command) #p_debug = obj.Processes.Process("port-debug", "ss --listen --tcp --process") #p_debug.Env['PATH'] = "/usr/sbin" + os.pathsep + p.ComposeEnv()['PATH'] -#p.StartBefore(p_debug) +# p.StartBefore(p_debug) # we want to have a few directories more fixed # this helps with debugging as location are common # we do this by overiding locations from the "layout" @@ -289,7 +289,8 @@ def MakeATSProcess(obj, name, command='traffic_server', select_ports=True, enabl port_str = "{port} {v6_port}:ipv6 ".format(port=p.Variables.port, v6_port=p.Variables.portv6) if enable_tls: -port_str += "{ssl_port}:ssl {ssl_portv6}:ssl:ipv6".format(ssl_port=p.Variables.ssl_port,ssl_portv6=p.Variables.ssl_portv6) +port_str += "{ssl_port}:ssl {ssl_portv6}:ssl:ipv6".format( +ssl_port=p.Variables.ssl_port, ssl_portv6=p.Variables.ssl_portv6) p.Env['PROXY_CONFIG_HTTP_SERVER_PORTS'] = port_str diff --git a/tests/gold_tests/command_argument/verify_remap_plugin.test.py b/tests/gold_tests/command_argument/verify_remap_plugin.test.py index dcd062d..2a7bcc7 100644 --- a/tests/gold_tests/command_argument/verify_remap_plugin.test.py +++
[trafficserver] branch 9.0.x updated: Supporting out of source builds for AuTests. (#7238)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new c3a04fa Supporting out of source builds for AuTests. (#7238) c3a04fa is described below commit c3a04fa4c30a1d484e5dfbbba1596097e16b1a21 Author: Brian Neradt AuthorDate: Thu Oct 8 15:36:43 2020 -0500 Supporting out of source builds for AuTests. (#7238) This adds the --build-root autest option to support running AuTest for out of source builds where the built binaries reside in a directory tree outside of where the Traffic Server AuTests themselves are located. (cherry picked from commit c5e25a2ade51af4bf8ff595957058acdfbc590ff) --- tests/gold_tests/autest-site/init.cli.ext | 4 tests/gold_tests/autest-site/setup.cli.ext | 21 + .../chunked_encoding/chunked_encoding.test.py | 4 +++- tests/gold_tests/tls/tls.test.py| 4 +++- 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/tests/gold_tests/autest-site/init.cli.ext b/tests/gold_tests/autest-site/init.cli.ext index a8d0641..23a30f1 100644 --- a/tests/gold_tests/autest-site/init.cli.ext +++ b/tests/gold_tests/autest-site/init.cli.ext @@ -35,3 +35,7 @@ if AuTestVersion() < autest_version: Settings.path_argument(["--ats-bin"], required=True, help="A user provided directory to ATS bin") + +Settings.path_argument(["--build-root"], + required=False, + help="The location of the build root for out of source builds") diff --git a/tests/gold_tests/autest-site/setup.cli.ext b/tests/gold_tests/autest-site/setup.cli.ext index c28c5d4..6c7913e 100644 --- a/tests/gold_tests/autest-site/setup.cli.ext +++ b/tests/gold_tests/autest-site/setup.cli.ext @@ -17,13 +17,23 @@ # limitations under the License. import json -import subprocess +import os +from os.path import dirname import pprint +import subprocess if Arguments.ats_bin is not None: # Add environment variables ENV['ATS_BIN'] = Arguments.ats_bin +if Arguments.build_root is not None: +ENV['BUILD_ROOT'] = Arguments.build_root +else: +# Assume the build root is the same directory tree as the test location. +ENV['BUILD_ROOT'] = dirname(dirname(dirname(AutestSitePath))) + +host.WriteVerbose(['ats'], "Test build root: {}:".format(ENV['BUILD_ROOT'])) + if ENV['ATS_BIN'] is not None: # Add variables for Tests traffic_layout = os.path.join(ENV['ATS_BIN'], "traffic_layout") @@ -78,9 +88,12 @@ if ENV['ATS_BIN'] is not None: host.WriteError("tsxs is broken. Aborting tests", show_stack=False) host.WriteVerbose(['ats'], "Traffic server build flags:\n", pprint.pformat(out)) Variables.update(out) -Variables.AtsExampleDir = os.path.join(AutestSitePath, '../../../example') -Variables.AtsTestToolsDir = os.path.join(AutestSitePath, '../../tools') -Variables.AtsTestPluginsDir = os.path.join(AutestSitePath, '../../tools/plugins/.libs') + +Variables.AtsExampleDir = os.path.join(AutestSitePath, '..', '..', '..', 'example') +Variables.AtsTestToolsDir = os.path.join(AutestSitePath, '..', '..', 'tools') +Variables.BuildRoot = ENV['BUILD_ROOT'] +Variables.AtsTestPluginsDir = os.path.join(Variables.BuildRoot, 'tests', 'tools', 'plugins', '.libs') +Variables.AtsBuildGoldTestsDir = os.path.join(Variables.BuildRoot, 'tests', 'gold_tests') # modify delay times as we always have to kill Trafficserver # no need to wait diff --git a/tests/gold_tests/chunked_encoding/chunked_encoding.test.py b/tests/gold_tests/chunked_encoding/chunked_encoding.test.py index d4da19d..e30c574 100644 --- a/tests/gold_tests/chunked_encoding/chunked_encoding.test.py +++ b/tests/gold_tests/chunked_encoding/chunked_encoding.test.py @@ -16,6 +16,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +import os + Test.Summary = ''' Test chunked encoding processing ''' @@ -94,7 +96,7 @@ ts.Disk.ssl_multicert_config.AddLine( # smuggle-client is built via `make`. Here we copy the built binary down to the # test directory so that the test runs in this file can use it. -Test.Setup.Copy('smuggle-client') +Test.Setup.Copy(os.path.join(Test.Variables.AtsBuildGoldTestsDir, 'chunked_encoding', 'smuggle-client')) # HTTP1.1 GET: www.example.com tr = Test.AddTestRun() diff --git a/tests/gold_tests/tls/tls.test.py b/tests/gold_tests/tls/tls.test.py index 3e31200..bf06da7 100644 --- a/tests/gold_tests/tls/tls.test.py +++ b/tests/gold_tests/tls/tls.test.py @@ -16,6 +16,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +import os + Test.Summary = ''' Test tls ''' @@ -26,7 +28,7 @@ server = Test.MakeOriginServer("server")
[trafficserver] branch 9.0.x updated: Stop crash on disk failure (#7218)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new fc1e930 Stop crash on disk failure (#7218) fc1e930 is described below commit fc1e930a707ca4addc0ad54dda51663864bd442b Author: Susan Hinrichs AuthorDate: Mon Oct 5 10:25:42 2020 -0500 Stop crash on disk failure (#7218) (cherry picked from commit ab378643b1decf53c51a0bcf52ff54bdf0d87504) --- iocore/cache/Cache.cc | 75 --- 1 file changed, 48 insertions(+), 27 deletions(-) diff --git a/iocore/cache/Cache.cc b/iocore/cache/Cache.cc index f84f50f..247689f 100644 --- a/iocore/cache/Cache.cc +++ b/iocore/cache/Cache.cc @@ -589,13 +589,22 @@ CacheProcessor::start_internal(int flags) fix = !!(flags & PROCESSOR_FIX); check= (flags & PROCESSOR_CHECK) != 0; start_done = 0; - Span *sd; /* read the config file and create the data structures corresponding to the file */ gndisks = theCacheStore.n_disks; gdisks = static_cast(ats_malloc(gndisks * sizeof(CacheDisk *))); + // Temporaries to carry values between loops + char **paths = static_cast(alloca(sizeof(char *) * gndisks)); + memset(paths, 0, sizeof(char *) * gndisks); + int *fds = static_cast(alloca(sizeof(int) * gndisks)); + memset(fds, 0, sizeof(int) * gndisks); + int *sector_sizes = static_cast(alloca(sizeof(int) * gndisks)); + memset(sector_sizes, 0, sizeof(int) * gndisks); + Span **sds = static_cast(alloca(sizeof(Span *) * gndisks)); + memset(sds, 0, sizeof(Span *) * gndisks); + gndisks = 0; ink_aio_set_callback(new AIO_Callback_handler()); @@ -605,13 +614,15 @@ CacheProcessor::start_internal(int flags) create CacheDisk objects for each span in the configuration file and store in gdisks */ for (unsigned i = 0; i < theCacheStore.n_disks; i++) { -sd = theCacheStore.disk[i]; -char path[PATH_NAME_MAX]; +Span *sd = theCacheStore.disk[i]; int opts = DEFAULT_CACHE_OPTIONS; -ink_strlcpy(path, sd->pathname, sizeof(path)); +if (!paths[gndisks]) { + paths[gndisks] = static_cast(alloca(PATH_NAME_MAX)); +} +ink_strlcpy(paths[gndisks], sd->pathname, PATH_NAME_MAX); if (!sd->file_pathname) { - ink_strlcat(path, "/cache.db", sizeof(path)); + ink_strlcat(paths[gndisks], "/cache.db", PATH_NAME_MAX); opts |= O_CREAT; } @@ -626,11 +637,11 @@ CacheProcessor::start_internal(int flags) opts |= O_RDONLY; } -int fd = open(path, opts, 0644); +int fd = open(paths[gndisks], opts, 0644); int64_t blocks = sd->blocks; if (fd < 0 && (opts & O_CREAT)) { // Try without O_DIRECT if this is a file on filesystem, e.g. tmpfs. - fd = open(path, DEFAULT_CACHE_OPTIONS | O_CREAT, 0644); + fd = open(paths[gndisks], DEFAULT_CACHE_OPTIONS | O_CREAT, 0644); } if (fd >= 0) { @@ -638,17 +649,17 @@ CacheProcessor::start_internal(int flags) if (!sd->file_pathname) { if (!check) { if (ftruncate(fd, blocks * STORE_BLOCK_SIZE) < 0) { -Warning("unable to truncate cache file '%s' to %" PRId64 " blocks", path, blocks); +Warning("unable to truncate cache file '%s' to %" PRId64 " blocks", paths[gndisks], blocks); diskok = false; } } else { // read-only mode checks struct stat sbuf; if (-1 == fstat(fd, )) { -fprintf(stderr, "Failed to stat cache file for directory %s\n", path); +fprintf(stderr, "Failed to stat cache file for directory %s\n", paths[gndisks]); diskok = false; } else if (blocks != sbuf.st_size / STORE_BLOCK_SIZE) { -fprintf(stderr, "Cache file for directory %s is %" PRId64 " bytes, expected %" PRId64 "\n", path, sbuf.st_size, -blocks * static_cast(STORE_BLOCK_SIZE)); +fprintf(stderr, "Cache file for directory %s is %" PRId64 " bytes, expected %" PRId64 "\n", paths[gndisks], +sbuf.st_size, blocks * static_cast(STORE_BLOCK_SIZE)); diskok = false; } } @@ -676,24 +687,17 @@ CacheProcessor::start_internal(int flags) Note("resetting hardware sector size from %d to %d", sector_size, STORE_BLOCK_SIZE); sector_size = STORE_BLOCK_SIZE; } - -off_t skip = ROUND_TO_STORE_BLOCK((sd->offset < START_POS ? START_POS + sd->alignment : sd->offset)); -blocks = blocks - (skip >> STORE_BLOCK_SHIFT); -#if AIO_MODE == AIO_MODE_NATIVE -eventProcessor.schedule_imm(new DiskInit(gdisks[gndisks], path, blocks, skip, sector_size, fd, clear)); -#else -gdisks[gndisks]->open(path, blocks, skip, sector_size, fd, clear); -#endif - -Debug("cache_hosting",
[trafficserver] branch 9.0.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 88fd2be Updated ChangeLog 88fd2be is described below commit 88fd2be45672d35ace36ee26893f7a7fbb57dc32 Author: Leif Hedstrom AuthorDate: Thu Oct 8 13:44:20 2020 -0600 Updated ChangeLog --- CHANGELOG-9.0.0 | 6 ++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG-9.0.0 b/CHANGELOG-9.0.0 index de1734c..14acf4b 100644 --- a/CHANGELOG-9.0.0 +++ b/CHANGELOG-9.0.0 @@ -667,6 +667,7 @@ Changes with Apache Traffic Server 9.0.0 #5952 - Fix code to avoid HostDBContinuation use after free #5955 - Fix debug output for global_user_agent_header. #5956 - Turn on certificate verification, in permissive mode for now + #5958 - Convert old sni configuration file in lua to yaml #5959 - Clear api set bit to avoid crash in following redirect. #5962 - Removed hardcoded sni.yaml configuration filename in logs #5964 - Fix a build issue on enabling FIPS @@ -1069,6 +1070,7 @@ Changes with Apache Traffic Server 9.0.0 #7126 - Replaces "smart" quotes with ASCII equivalents #7128 - Protect TSActionCancel from null INKContInternal actions #7129 - Comment out a wrong assertion in QUIC Loss Detection logic + #7130 - Allow override of CA certs for cert from client based on SNI server name sent by client. #7131 - Don't make an error on duplicated RETIRE_CONNECTION frames #7134 - Do not lose original inactivity timeout on disable #7135 - Replace ACTION_RESULT_NONE with nullptr @@ -1080,6 +1082,7 @@ Changes with Apache Traffic Server 9.0.0 #7144 - Fix typo in cache docs #7145 - Check VIO availability before acquiring a lock for it #7148 - Fix stale pointer due to SSL config reload + #7150 - Additions to enable loading qat_engine #7155 - PluginFactory - Remove unused code. #7157 - rc: fixes systemd unit file stopping #7159 - MicroDNS Extension: handle different 'default' types @@ -1102,5 +1105,8 @@ Changes with Apache Traffic Server 9.0.0 #7210 - Docs cleanup #7213 - Follow redirection responses when refreshing stale cache objects. #7215 - Log config reload: use new config for initialization + #7218 - Stop crash on disk failure + #7219 - Ensure that ca override does not get lost #7224 - Fix renamed setting in default config #7225 - Increment ssl_error_syscall only if not EOF + #7243 - RolledLogDeleter: do not sort on each candidate consideration.
[trafficserver] branch 8.1.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new 581ce86 Updated ChangeLog 581ce86 is described below commit 581ce867911540ae3bef7fa831ae5e9a77aef04c Author: Leif Hedstrom AuthorDate: Thu Oct 8 13:35:42 2020 -0600 Updated ChangeLog --- CHANGELOG-8.1.1 | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG-8.1.1 b/CHANGELOG-8.1.1 index 76c59bc..e57de88 100644 --- a/CHANGELOG-8.1.1 +++ b/CHANGELOG-8.1.1 @@ -6,3 +6,4 @@ Changes with Apache Traffic Server 8.1.1 #7195 - slice: fix throttle not work (#7008) #7217 - Remove usage of stored ACL record, fix ipallow reload #7234 - Do not cache Transfer-Encoding header + #7244 - Replace existing autest certs with ones from master
[trafficserver] branch 8.1.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new 581ce86 Updated ChangeLog 581ce86 is described below commit 581ce867911540ae3bef7fa831ae5e9a77aef04c Author: Leif Hedstrom AuthorDate: Thu Oct 8 13:35:42 2020 -0600 Updated ChangeLog --- CHANGELOG-8.1.1 | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG-8.1.1 b/CHANGELOG-8.1.1 index 76c59bc..e57de88 100644 --- a/CHANGELOG-8.1.1 +++ b/CHANGELOG-8.1.1 @@ -6,3 +6,4 @@ Changes with Apache Traffic Server 8.1.1 #7195 - slice: fix throttle not work (#7008) #7217 - Remove usage of stored ACL record, fix ipallow reload #7234 - Do not cache Transfer-Encoding header + #7244 - Replace existing autest certs with ones from master
[trafficserver] branch 9.0.x updated: Stop crash on disk failure (#7218)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new fc1e930 Stop crash on disk failure (#7218) fc1e930 is described below commit fc1e930a707ca4addc0ad54dda51663864bd442b Author: Susan Hinrichs AuthorDate: Mon Oct 5 10:25:42 2020 -0500 Stop crash on disk failure (#7218) (cherry picked from commit ab378643b1decf53c51a0bcf52ff54bdf0d87504) --- iocore/cache/Cache.cc | 75 --- 1 file changed, 48 insertions(+), 27 deletions(-) diff --git a/iocore/cache/Cache.cc b/iocore/cache/Cache.cc index f84f50f..247689f 100644 --- a/iocore/cache/Cache.cc +++ b/iocore/cache/Cache.cc @@ -589,13 +589,22 @@ CacheProcessor::start_internal(int flags) fix = !!(flags & PROCESSOR_FIX); check= (flags & PROCESSOR_CHECK) != 0; start_done = 0; - Span *sd; /* read the config file and create the data structures corresponding to the file */ gndisks = theCacheStore.n_disks; gdisks = static_cast(ats_malloc(gndisks * sizeof(CacheDisk *))); + // Temporaries to carry values between loops + char **paths = static_cast(alloca(sizeof(char *) * gndisks)); + memset(paths, 0, sizeof(char *) * gndisks); + int *fds = static_cast(alloca(sizeof(int) * gndisks)); + memset(fds, 0, sizeof(int) * gndisks); + int *sector_sizes = static_cast(alloca(sizeof(int) * gndisks)); + memset(sector_sizes, 0, sizeof(int) * gndisks); + Span **sds = static_cast(alloca(sizeof(Span *) * gndisks)); + memset(sds, 0, sizeof(Span *) * gndisks); + gndisks = 0; ink_aio_set_callback(new AIO_Callback_handler()); @@ -605,13 +614,15 @@ CacheProcessor::start_internal(int flags) create CacheDisk objects for each span in the configuration file and store in gdisks */ for (unsigned i = 0; i < theCacheStore.n_disks; i++) { -sd = theCacheStore.disk[i]; -char path[PATH_NAME_MAX]; +Span *sd = theCacheStore.disk[i]; int opts = DEFAULT_CACHE_OPTIONS; -ink_strlcpy(path, sd->pathname, sizeof(path)); +if (!paths[gndisks]) { + paths[gndisks] = static_cast(alloca(PATH_NAME_MAX)); +} +ink_strlcpy(paths[gndisks], sd->pathname, PATH_NAME_MAX); if (!sd->file_pathname) { - ink_strlcat(path, "/cache.db", sizeof(path)); + ink_strlcat(paths[gndisks], "/cache.db", PATH_NAME_MAX); opts |= O_CREAT; } @@ -626,11 +637,11 @@ CacheProcessor::start_internal(int flags) opts |= O_RDONLY; } -int fd = open(path, opts, 0644); +int fd = open(paths[gndisks], opts, 0644); int64_t blocks = sd->blocks; if (fd < 0 && (opts & O_CREAT)) { // Try without O_DIRECT if this is a file on filesystem, e.g. tmpfs. - fd = open(path, DEFAULT_CACHE_OPTIONS | O_CREAT, 0644); + fd = open(paths[gndisks], DEFAULT_CACHE_OPTIONS | O_CREAT, 0644); } if (fd >= 0) { @@ -638,17 +649,17 @@ CacheProcessor::start_internal(int flags) if (!sd->file_pathname) { if (!check) { if (ftruncate(fd, blocks * STORE_BLOCK_SIZE) < 0) { -Warning("unable to truncate cache file '%s' to %" PRId64 " blocks", path, blocks); +Warning("unable to truncate cache file '%s' to %" PRId64 " blocks", paths[gndisks], blocks); diskok = false; } } else { // read-only mode checks struct stat sbuf; if (-1 == fstat(fd, )) { -fprintf(stderr, "Failed to stat cache file for directory %s\n", path); +fprintf(stderr, "Failed to stat cache file for directory %s\n", paths[gndisks]); diskok = false; } else if (blocks != sbuf.st_size / STORE_BLOCK_SIZE) { -fprintf(stderr, "Cache file for directory %s is %" PRId64 " bytes, expected %" PRId64 "\n", path, sbuf.st_size, -blocks * static_cast(STORE_BLOCK_SIZE)); +fprintf(stderr, "Cache file for directory %s is %" PRId64 " bytes, expected %" PRId64 "\n", paths[gndisks], +sbuf.st_size, blocks * static_cast(STORE_BLOCK_SIZE)); diskok = false; } } @@ -676,24 +687,17 @@ CacheProcessor::start_internal(int flags) Note("resetting hardware sector size from %d to %d", sector_size, STORE_BLOCK_SIZE); sector_size = STORE_BLOCK_SIZE; } - -off_t skip = ROUND_TO_STORE_BLOCK((sd->offset < START_POS ? START_POS + sd->alignment : sd->offset)); -blocks = blocks - (skip >> STORE_BLOCK_SHIFT); -#if AIO_MODE == AIO_MODE_NATIVE -eventProcessor.schedule_imm(new DiskInit(gdisks[gndisks], path, blocks, skip, sector_size, fd, clear)); -#else -gdisks[gndisks]->open(path, blocks, skip, sector_size, fd, clear); -#endif - -Debug("cache_hosting",
[trafficserver] 03/03: Ensure that ca override does not get lost (#7219)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit b559e874b399564dce3db40cb19a8482b09d79a9 Author: Susan Hinrichs AuthorDate: Tue Oct 6 10:53:44 2020 -0500 Ensure that ca override does not get lost (#7219) (cherry picked from commit 10aabb11f8da22db90cb474754ee4c7b3a6fe37d) --- iocore/net/P_SNIActionPerformer.h | 13 +++-- iocore/net/P_SSLNetVConnection.h| 15 +++ iocore/net/P_SSLUtils.h | 2 +- iocore/net/SSLNetVConnection.cc | 19 +++ iocore/net/SSLSNIConfig.cc | 3 ++- iocore/net/SSLUtils.cc | 24 iocore/net/YamlSNIConfig.cc | 22 +++--- iocore/net/YamlSNIConfig.h | 12 ++-- tests/gold_tests/tls/tls_client_verify3.test.py | 10 -- 9 files changed, 73 insertions(+), 47 deletions(-) diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index cf998f6..c94a74d 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -193,11 +193,12 @@ private: class VerifyClient : public ActionItem { uint8_t mode; - X509_STORE *ca_certs; // owning pointer. + std::string ca_file; + std::string ca_dir; public: - VerifyClient(uint8_t param, X509_STORE *st = nullptr) : mode(param), ca_certs(st) {} - VerifyClient(const char *param, X509_STORE *st = nullptr) : VerifyClient(atoi(param), st) {} + VerifyClient(uint8_t param, std::string_view file, std::string_view dir) : mode(param), ca_file(file), ca_dir(dir) {} + VerifyClient(const char *param, std::string_view file, std::string_view dir) : VerifyClient(atoi(param), file, dir) {} ~VerifyClient() override; int SNIAction(Continuation *cont, const Context ) const override @@ -205,9 +206,9 @@ public: auto ssl_vc = dynamic_cast(cont); Debug("ssl_sni", "action verify param %d", this->mode); setClientCertLevel(ssl_vc->ssl, this->mode); -if (ca_certs) { - setClientCertCACerts(ssl_vc->ssl, ca_certs); -} +ssl_vc->set_ca_cert_file(ca_file, ca_dir); +setClientCertCACerts(ssl_vc->ssl, ssl_vc->get_ca_cert_file(), ssl_vc->get_ca_cert_dir()); + return SSL_TLSEXT_ERR_OK; } bool diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 240abcd..5f33467 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -467,6 +467,19 @@ public: sent_cert = send_the_cert; } + void set_ca_cert_file(std::string_view file, std::string_view dir); + + const char * + get_ca_cert_file() + { +return _ca_cert_file.get(); + } + const char * + get_ca_cert_dir() + { +return _ca_cert_dir.get(); + } + protected: const IpEndpoint & _getLocalEndpoint() override @@ -519,6 +532,8 @@ private: // Null-terminated string, or nullptr if there is no SNI server name. std::unique_ptr _serverName; + std::unique_ptr _ca_cert_file; + std::unique_ptr _ca_cert_dir; EventIO async_ep{}; }; diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h index 99fc4a3..1c444db 100644 --- a/iocore/net/P_SSLUtils.h +++ b/iocore/net/P_SSLUtils.h @@ -126,7 +126,7 @@ void SSLNetVCDetach(SSL *ssl); SSLNetVConnection *SSLNetVCAccess(const SSL *ssl); void setClientCertLevel(SSL *ssl, uint8_t certLevel); -void setClientCertCACerts(SSL *ssl, X509_STORE *ca_certs); +void setClientCertCACerts(SSL *ssl, const char *file, const char *dir); void setTLSValidProtocols(SSL *ssl, unsigned long proto_mask, unsigned long max_mask); namespace ssl diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 8fcc263..3593735 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -923,6 +923,8 @@ void SSLNetVConnection::clear() { _serverName.reset(); + _ca_cert_file.reset(); + _ca_cert_dir.reset(); if (ssl != nullptr) { SSL_free(ssl); @@ -1919,3 +1921,20 @@ SSLNetVConnection::set_server_name(std::string_view name) _serverName.reset(n); } } + +void +SSLNetVConnection::set_ca_cert_file(std::string_view file, std::string_view dir) +{ + if (file.size()) { +char *n = new char[file.size() + 1]; +std::memcpy(n, file.data(), file.size()); +n[file.size()] = '\0'; +_ca_cert_file.reset(n); + } + if (dir.size()) { +char *n = new char[dir.size() + 1]; +std::memcpy(n, dir.data(), dir.size()); +n[dir.size()] = '\0'; +_ca_cert_dir.reset(n); + } +} diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc index ffab40b..ec10fc6 100644 --- a/iocore/net/SSLSNIConfig.cc +++ b/iocore/net/SSLSNIConfig.cc @@ -69,7 +69,8 @@ SNIConfigParams::loadSNIConfig()
[trafficserver] 01/03: Allow override of CA certs for cert from client based on SNI server name sent by client. (#7130)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit d5c198c2bb87df9f0b1ec1f993b73ae3a526fa87 Author: Walt Karas AuthorDate: Thu Aug 27 14:02:21 2020 -0500 Allow override of CA certs for cert from client based on SNI server name sent by client. (#7130) Requires OpenSSL interface 1.0.2. (cherry picked from commit 83d1f110debd9d3ebbc827ee1138e69544b95559) --- doc/admin-guide/files/sni.yaml.en.rst | 13 ++- iocore/net/P_SNIActionPerformer.h | 14 ++- iocore/net/P_SSLUtils.h | 1 + iocore/net/SSLSNIConfig.cc | 2 +- iocore/net/SSLUtils.cc | 16 +++ iocore/net/YamlSNIConfig.cc | 70 + iocore/net/YamlSNIConfig.h | 15 ++- tests/gold_tests/tls/ssl/aaa-ca.key | 30 ++ tests/gold_tests/tls/ssl/aaa-ca.pem | 17 +++ tests/gold_tests/tls/ssl/aaa-signed.key | 27 + tests/gold_tests/tls/ssl/aaa-signed.pem | 16 +++ tests/gold_tests/tls/ssl/bbb-ca.key | 30 ++ tests/gold_tests/tls/ssl/bbb-ca.pem | 17 +++ tests/gold_tests/tls/ssl/bbb-signed.key | 27 + tests/gold_tests/tls/ssl/bbb-signed.pem | 16 +++ tests/gold_tests/tls/ssl/ccc-ca.key | 30 ++ tests/gold_tests/tls/ssl/ccc-ca.pem | 17 +++ tests/gold_tests/tls/ssl/ccc-signed.key | 27 + tests/gold_tests/tls/ssl/ccc-signed.pem | 16 +++ tests/gold_tests/tls/ssl/gen_client_certs.sh| 43 tests/gold_tests/tls/ssl/openssl.cnf| 33 ++ tests/gold_tests/tls/tls_client_verify3.test.py | 131 22 files changed, 602 insertions(+), 6 deletions(-) diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst index f4846b9..bc8be27 100644 --- a/doc/admin-guide/files/sni.yaml.en.rst +++ b/doc/admin-guide/files/sni.yaml.en.rst @@ -69,11 +69,22 @@ verify_server_properties One of the values :code:`NONE`, :code:`SIGNATURE`, :co verify_client One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`. If ``NONE`` is specified, |TS| requests no certificate. If ``MODERATE`` is specified |TS| will verify a certificate that is presented by the client, but it will not - fail the TLS handshake if new certificate is presented. If ``STRICT`` is specified + fail the TLS handshake if no certificate is presented. If ``STRICT`` is specified the client must resent a certificate during the TLS handshake. By default this is :ts:cv:`proxy.config.ssl.client.certification_level`. +verify_client_ca_certsSpecifies an alternate set of certificate authority certs to use to verify the + client cert. The value must be either a file path, or a nested set of key / + value pairs. If the value is a file path, it must specify a file containing the + CA certs. Otherwise, there should be up to two nested pairs. The possible keys + are ``file`` and ``dir``. The value for ``file`` must be a file path for a file + containing CA certs. The value for ``dir`` must be a file path for an OpenSSL + X509 hashed directory containing CA certs. If a given file path does not being + with ``/`` , it must be relative to the |TS| configuration directory. + ``verify_client_ca_certs`` can only be used with capbilities provided by + OpenSSL 1.0.2 or later. + host_sni_policy One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`. If not specified, the value of :ts:cv:`proxy.config.http.host_sni_policy` is used. diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index 2f9bd01..cf998f6 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -193,17 +193,21 @@ private: class VerifyClient : public ActionItem { uint8_t mode; + X509_STORE *ca_certs; // owning pointer. public: - VerifyClient(const char *param) : mode(atoi(param)) {} - VerifyClient(uint8_t param) : mode(param) {} - ~VerifyClient() override {} + VerifyClient(uint8_t param, X509_STORE *st = nullptr) : mode(param), ca_certs(st) {} + VerifyClient(const char *param, X509_STORE *st = nullptr) : VerifyClient(atoi(param), st) {} + ~VerifyClient() override; int SNIAction(Continuation *cont, const Context ) const override { auto ssl_vc = dynamic_cast(cont);
[trafficserver] 02/03: Additions to enable loading qat_engine (#7150)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 4b62b21f5fa16d9fd833ab64a7dd415d355086f9 Author: Susan Hinrichs AuthorDate: Tue Sep 8 09:05:36 2020 -0500 Additions to enable loading qat_engine (#7150) (cherry picked from commit 2afe843e9df30cf17d863311989284aa9540505e) --- iocore/net/P_SSLNetVConnection.h | 2 ++ iocore/net/SSLNetVConnection.cc | 63 iocore/net/SSLUtils.cc | 52 ++--- 3 files changed, 62 insertions(+), 55 deletions(-) diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index c059e75..240abcd 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -519,6 +519,8 @@ private: // Null-terminated string, or nullptr if there is no SNI server name. std::unique_ptr _serverName; + + EventIO async_ep{}; }; typedef int (SSLNetVConnection::*SSLNetVConnHandler)(int, void *); diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 68c70b6..8fcc263 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -1198,6 +1198,12 @@ SSLNetVConnection::sslServerHandShakeEvent(int ) if (BIO_eof(SSL_get_rbio(this->ssl))) { // No more data in the buffer // Is this the first read? if (!this->handShakeReader->is_read_avail_more_than(0) && !this->handShakeHolder->is_read_avail_more_than(0)) { +#if TS_USE_TLS_ASYNC +if (SSLConfigParams::async_handshake_enabled) { + SSL_set_mode(ssl, SSL_MODE_ASYNC); +} +#endif + Debug("ssl", "%p first read\n", this); // Read from socket to fill in the BIO buffer with the // raw handshake data before calling the ssl accept calls. @@ -1223,42 +1229,30 @@ SSLNetVConnection::sslServerHandShakeEvent(int ) } // Still data in the BIO } -#if TS_USE_TLS_ASYNC - if (SSLConfigParams::async_handshake_enabled) { -SSL_set_mode(ssl, SSL_MODE_ASYNC); - } -#endif ssl_error_t ssl_error = SSLAccept(ssl); #if TS_USE_TLS_ASYNC if (ssl_error == SSL_ERROR_WANT_ASYNC) { -size_t numfds; -OSSL_ASYNC_FD *waitfds; -// Set up the epoll entry for the signalling -if (SSL_get_all_async_fds(ssl, nullptr, ) && numfds > 0) { - // Allocate space for the waitfd on the stack, should only be one most all of the time - waitfds = reinterpret_cast(alloca(sizeof(OSSL_ASYNC_FD) * numfds)); - if (SSL_get_all_async_fds(ssl, waitfds, ) && numfds > 0) { -// Temporarily disable regular net -this->read.triggered = false; -this->write.triggered = false; -this->ep.stop(); // Modify used in read_disable doesn't work for edge triggered epol -// Have to have the read NetState enabled because we are using it for the signal vc -read.enabled = true; -PollDescriptor *pd = get_PollDescriptor(this_ethread()); -this->ep.start(pd, waitfds[0], static_cast(this), EVENTIO_READ); -this->ep.type = EVENTIO_READWRITE_VC; +// Do we need to set up the async eventfd? Or is it already registered? +if (async_ep.fd < 0) { + size_t numfds; + OSSL_ASYNC_FD *waitfds; + // Set up the epoll entry for the signalling + if (SSL_get_all_async_fds(ssl, nullptr, ) && numfds > 0) { +// Allocate space for the waitfd on the stack, should only be one most all of the time +waitfds = reinterpret_cast(alloca(sizeof(OSSL_ASYNC_FD) * numfds)); +if (SSL_get_all_async_fds(ssl, waitfds, ) && numfds > 0) { + this->read.triggered = false; + this->write.triggered = false; + // Have to have the read NetState enabled because we are using it for the signal vc + read.enabled = true; + PollDescriptor *pd = get_PollDescriptor(this_ethread()); + this->async_ep.start(pd, waitfds[0], static_cast(this), EVENTIO_READ); + this->async_ep.type = EVENTIO_READWRITE_VC; +} } } } else if (SSLConfigParams::async_handshake_enabled) { -// Clean up the epoll entry for signalling -SSL_clear_mode(ssl, SSL_MODE_ASYNC); -this->ep.stop(); -// Reactivate the socket, ready to rock -PollDescriptor *pd = get_PollDescriptor(this_ethread()); -this->ep.start( - pd, this, - EVENTIO_READ | -EVENTIO_WRITE); // Again we must muck with the eventloop directly because of limits with these methods and edge trigger +// Make sure the net fd read vio is in the right state if (ssl_error == SSL_ERROR_WANT_READ) { this->reenable(); this->read.triggered = 1; @@ -1326,7 +1320,14 @@ SSLNetVConnection::sslServerHandShakeEvent(int ) Debug("ssl", "client did not select a next protocol"); } } - +#if TS_USE_TLS_ASYNC +if
[trafficserver] branch 9.0.x updated (effa339 -> b559e87)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from effa339 RolledLogDeleter: do not sort on each candidate consideration. (#7243) new d5c198c Allow override of CA certs for cert from client based on SNI server name sent by client. (#7130) new 4b62b21 Additions to enable loading qat_engine (#7150) new b559e87 Ensure that ca override does not get lost (#7219) The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: doc/admin-guide/files/sni.yaml.en.rst | 13 +- iocore/net/P_SNIActionPerformer.h | 15 ++- iocore/net/P_SSLNetVConnection.h | 17 +++ iocore/net/P_SSLUtils.h| 1 + iocore/net/SSLNetVConnection.cc| 82 +++- iocore/net/SSLSNIConfig.cc | 3 +- iocore/net/SSLUtils.cc | 76 iocore/net/YamlSNIConfig.cc| 54 iocore/net/YamlSNIConfig.h | 7 +- tests/gold_tests/tls/ssl/aaa-ca.key| 30 + tests/gold_tests/tls/ssl/aaa-ca.pem| 17 +++ tests/gold_tests/tls/ssl/aaa-signed.key| 27 tests/gold_tests/tls/ssl/aaa-signed.pem| 16 +++ tests/gold_tests/tls/ssl/bbb-ca.key| 30 + tests/gold_tests/tls/ssl/bbb-ca.pem| 17 +++ tests/gold_tests/tls/ssl/bbb-signed.key| 27 tests/gold_tests/tls/ssl/bbb-signed.pem| 16 +++ tests/gold_tests/tls/ssl/ccc-ca.key| 30 + tests/gold_tests/tls/ssl/ccc-ca.pem| 17 +++ tests/gold_tests/tls/ssl/ccc-signed.key| 27 tests/gold_tests/tls/ssl/ccc-signed.pem| 16 +++ tests/gold_tests/tls/ssl/gen_client_certs.sh | 43 +++ .../x_remap-observer.py => tls/ssl/openssl.cnf}| 32 +++-- tests/gold_tests/tls/tls_client_verify3.test.py| 137 + 24 files changed, 671 insertions(+), 79 deletions(-) create mode 100644 tests/gold_tests/tls/ssl/aaa-ca.key create mode 100644 tests/gold_tests/tls/ssl/aaa-ca.pem create mode 100644 tests/gold_tests/tls/ssl/aaa-signed.key create mode 100644 tests/gold_tests/tls/ssl/aaa-signed.pem create mode 100644 tests/gold_tests/tls/ssl/bbb-ca.key create mode 100644 tests/gold_tests/tls/ssl/bbb-ca.pem create mode 100644 tests/gold_tests/tls/ssl/bbb-signed.key create mode 100644 tests/gold_tests/tls/ssl/bbb-signed.pem create mode 100644 tests/gold_tests/tls/ssl/ccc-ca.key create mode 100644 tests/gold_tests/tls/ssl/ccc-ca.pem create mode 100644 tests/gold_tests/tls/ssl/ccc-signed.key create mode 100644 tests/gold_tests/tls/ssl/ccc-signed.pem create mode 100755 tests/gold_tests/tls/ssl/gen_client_certs.sh copy tests/gold_tests/{pluginTest/xdebug/x_remap/x_remap-observer.py => tls/ssl/openssl.cnf} (64%) create mode 100644 tests/gold_tests/tls/tls_client_verify3.test.py
[trafficserver] branch 9.0.x updated (effa339 -> b559e87)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from effa339 RolledLogDeleter: do not sort on each candidate consideration. (#7243) new d5c198c Allow override of CA certs for cert from client based on SNI server name sent by client. (#7130) new 4b62b21 Additions to enable loading qat_engine (#7150) new b559e87 Ensure that ca override does not get lost (#7219) The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: doc/admin-guide/files/sni.yaml.en.rst | 13 +- iocore/net/P_SNIActionPerformer.h | 15 ++- iocore/net/P_SSLNetVConnection.h | 17 +++ iocore/net/P_SSLUtils.h| 1 + iocore/net/SSLNetVConnection.cc| 82 +++- iocore/net/SSLSNIConfig.cc | 3 +- iocore/net/SSLUtils.cc | 76 iocore/net/YamlSNIConfig.cc| 54 iocore/net/YamlSNIConfig.h | 7 +- tests/gold_tests/tls/ssl/aaa-ca.key| 30 + tests/gold_tests/tls/ssl/aaa-ca.pem| 17 +++ tests/gold_tests/tls/ssl/aaa-signed.key| 27 tests/gold_tests/tls/ssl/aaa-signed.pem| 16 +++ tests/gold_tests/tls/ssl/bbb-ca.key| 30 + tests/gold_tests/tls/ssl/bbb-ca.pem| 17 +++ tests/gold_tests/tls/ssl/bbb-signed.key| 27 tests/gold_tests/tls/ssl/bbb-signed.pem| 16 +++ tests/gold_tests/tls/ssl/ccc-ca.key| 30 + tests/gold_tests/tls/ssl/ccc-ca.pem| 17 +++ tests/gold_tests/tls/ssl/ccc-signed.key| 27 tests/gold_tests/tls/ssl/ccc-signed.pem| 16 +++ tests/gold_tests/tls/ssl/gen_client_certs.sh | 43 +++ .../x_remap-observer.py => tls/ssl/openssl.cnf}| 32 +++-- tests/gold_tests/tls/tls_client_verify3.test.py| 137 + 24 files changed, 671 insertions(+), 79 deletions(-) create mode 100644 tests/gold_tests/tls/ssl/aaa-ca.key create mode 100644 tests/gold_tests/tls/ssl/aaa-ca.pem create mode 100644 tests/gold_tests/tls/ssl/aaa-signed.key create mode 100644 tests/gold_tests/tls/ssl/aaa-signed.pem create mode 100644 tests/gold_tests/tls/ssl/bbb-ca.key create mode 100644 tests/gold_tests/tls/ssl/bbb-ca.pem create mode 100644 tests/gold_tests/tls/ssl/bbb-signed.key create mode 100644 tests/gold_tests/tls/ssl/bbb-signed.pem create mode 100644 tests/gold_tests/tls/ssl/ccc-ca.key create mode 100644 tests/gold_tests/tls/ssl/ccc-ca.pem create mode 100644 tests/gold_tests/tls/ssl/ccc-signed.key create mode 100644 tests/gold_tests/tls/ssl/ccc-signed.pem create mode 100755 tests/gold_tests/tls/ssl/gen_client_certs.sh copy tests/gold_tests/{pluginTest/xdebug/x_remap/x_remap-observer.py => tls/ssl/openssl.cnf} (64%) create mode 100644 tests/gold_tests/tls/tls_client_verify3.test.py
[trafficserver] 01/03: Allow override of CA certs for cert from client based on SNI server name sent by client. (#7130)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit d5c198c2bb87df9f0b1ec1f993b73ae3a526fa87 Author: Walt Karas AuthorDate: Thu Aug 27 14:02:21 2020 -0500 Allow override of CA certs for cert from client based on SNI server name sent by client. (#7130) Requires OpenSSL interface 1.0.2. (cherry picked from commit 83d1f110debd9d3ebbc827ee1138e69544b95559) --- doc/admin-guide/files/sni.yaml.en.rst | 13 ++- iocore/net/P_SNIActionPerformer.h | 14 ++- iocore/net/P_SSLUtils.h | 1 + iocore/net/SSLSNIConfig.cc | 2 +- iocore/net/SSLUtils.cc | 16 +++ iocore/net/YamlSNIConfig.cc | 70 + iocore/net/YamlSNIConfig.h | 15 ++- tests/gold_tests/tls/ssl/aaa-ca.key | 30 ++ tests/gold_tests/tls/ssl/aaa-ca.pem | 17 +++ tests/gold_tests/tls/ssl/aaa-signed.key | 27 + tests/gold_tests/tls/ssl/aaa-signed.pem | 16 +++ tests/gold_tests/tls/ssl/bbb-ca.key | 30 ++ tests/gold_tests/tls/ssl/bbb-ca.pem | 17 +++ tests/gold_tests/tls/ssl/bbb-signed.key | 27 + tests/gold_tests/tls/ssl/bbb-signed.pem | 16 +++ tests/gold_tests/tls/ssl/ccc-ca.key | 30 ++ tests/gold_tests/tls/ssl/ccc-ca.pem | 17 +++ tests/gold_tests/tls/ssl/ccc-signed.key | 27 + tests/gold_tests/tls/ssl/ccc-signed.pem | 16 +++ tests/gold_tests/tls/ssl/gen_client_certs.sh| 43 tests/gold_tests/tls/ssl/openssl.cnf| 33 ++ tests/gold_tests/tls/tls_client_verify3.test.py | 131 22 files changed, 602 insertions(+), 6 deletions(-) diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst index f4846b9..bc8be27 100644 --- a/doc/admin-guide/files/sni.yaml.en.rst +++ b/doc/admin-guide/files/sni.yaml.en.rst @@ -69,11 +69,22 @@ verify_server_properties One of the values :code:`NONE`, :code:`SIGNATURE`, :co verify_client One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`. If ``NONE`` is specified, |TS| requests no certificate. If ``MODERATE`` is specified |TS| will verify a certificate that is presented by the client, but it will not - fail the TLS handshake if new certificate is presented. If ``STRICT`` is specified + fail the TLS handshake if no certificate is presented. If ``STRICT`` is specified the client must resent a certificate during the TLS handshake. By default this is :ts:cv:`proxy.config.ssl.client.certification_level`. +verify_client_ca_certsSpecifies an alternate set of certificate authority certs to use to verify the + client cert. The value must be either a file path, or a nested set of key / + value pairs. If the value is a file path, it must specify a file containing the + CA certs. Otherwise, there should be up to two nested pairs. The possible keys + are ``file`` and ``dir``. The value for ``file`` must be a file path for a file + containing CA certs. The value for ``dir`` must be a file path for an OpenSSL + X509 hashed directory containing CA certs. If a given file path does not being + with ``/`` , it must be relative to the |TS| configuration directory. + ``verify_client_ca_certs`` can only be used with capbilities provided by + OpenSSL 1.0.2 or later. + host_sni_policy One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`. If not specified, the value of :ts:cv:`proxy.config.http.host_sni_policy` is used. diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index 2f9bd01..cf998f6 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -193,17 +193,21 @@ private: class VerifyClient : public ActionItem { uint8_t mode; + X509_STORE *ca_certs; // owning pointer. public: - VerifyClient(const char *param) : mode(atoi(param)) {} - VerifyClient(uint8_t param) : mode(param) {} - ~VerifyClient() override {} + VerifyClient(uint8_t param, X509_STORE *st = nullptr) : mode(param), ca_certs(st) {} + VerifyClient(const char *param, X509_STORE *st = nullptr) : VerifyClient(atoi(param), st) {} + ~VerifyClient() override; int SNIAction(Continuation *cont, const Context ) const override { auto ssl_vc = dynamic_cast(cont);
[trafficserver] 03/03: Ensure that ca override does not get lost (#7219)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit b559e874b399564dce3db40cb19a8482b09d79a9 Author: Susan Hinrichs AuthorDate: Tue Oct 6 10:53:44 2020 -0500 Ensure that ca override does not get lost (#7219) (cherry picked from commit 10aabb11f8da22db90cb474754ee4c7b3a6fe37d) --- iocore/net/P_SNIActionPerformer.h | 13 +++-- iocore/net/P_SSLNetVConnection.h| 15 +++ iocore/net/P_SSLUtils.h | 2 +- iocore/net/SSLNetVConnection.cc | 19 +++ iocore/net/SSLSNIConfig.cc | 3 ++- iocore/net/SSLUtils.cc | 24 iocore/net/YamlSNIConfig.cc | 22 +++--- iocore/net/YamlSNIConfig.h | 12 ++-- tests/gold_tests/tls/tls_client_verify3.test.py | 10 -- 9 files changed, 73 insertions(+), 47 deletions(-) diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index cf998f6..c94a74d 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -193,11 +193,12 @@ private: class VerifyClient : public ActionItem { uint8_t mode; - X509_STORE *ca_certs; // owning pointer. + std::string ca_file; + std::string ca_dir; public: - VerifyClient(uint8_t param, X509_STORE *st = nullptr) : mode(param), ca_certs(st) {} - VerifyClient(const char *param, X509_STORE *st = nullptr) : VerifyClient(atoi(param), st) {} + VerifyClient(uint8_t param, std::string_view file, std::string_view dir) : mode(param), ca_file(file), ca_dir(dir) {} + VerifyClient(const char *param, std::string_view file, std::string_view dir) : VerifyClient(atoi(param), file, dir) {} ~VerifyClient() override; int SNIAction(Continuation *cont, const Context ) const override @@ -205,9 +206,9 @@ public: auto ssl_vc = dynamic_cast(cont); Debug("ssl_sni", "action verify param %d", this->mode); setClientCertLevel(ssl_vc->ssl, this->mode); -if (ca_certs) { - setClientCertCACerts(ssl_vc->ssl, ca_certs); -} +ssl_vc->set_ca_cert_file(ca_file, ca_dir); +setClientCertCACerts(ssl_vc->ssl, ssl_vc->get_ca_cert_file(), ssl_vc->get_ca_cert_dir()); + return SSL_TLSEXT_ERR_OK; } bool diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 240abcd..5f33467 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -467,6 +467,19 @@ public: sent_cert = send_the_cert; } + void set_ca_cert_file(std::string_view file, std::string_view dir); + + const char * + get_ca_cert_file() + { +return _ca_cert_file.get(); + } + const char * + get_ca_cert_dir() + { +return _ca_cert_dir.get(); + } + protected: const IpEndpoint & _getLocalEndpoint() override @@ -519,6 +532,8 @@ private: // Null-terminated string, or nullptr if there is no SNI server name. std::unique_ptr _serverName; + std::unique_ptr _ca_cert_file; + std::unique_ptr _ca_cert_dir; EventIO async_ep{}; }; diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h index 99fc4a3..1c444db 100644 --- a/iocore/net/P_SSLUtils.h +++ b/iocore/net/P_SSLUtils.h @@ -126,7 +126,7 @@ void SSLNetVCDetach(SSL *ssl); SSLNetVConnection *SSLNetVCAccess(const SSL *ssl); void setClientCertLevel(SSL *ssl, uint8_t certLevel); -void setClientCertCACerts(SSL *ssl, X509_STORE *ca_certs); +void setClientCertCACerts(SSL *ssl, const char *file, const char *dir); void setTLSValidProtocols(SSL *ssl, unsigned long proto_mask, unsigned long max_mask); namespace ssl diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 8fcc263..3593735 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -923,6 +923,8 @@ void SSLNetVConnection::clear() { _serverName.reset(); + _ca_cert_file.reset(); + _ca_cert_dir.reset(); if (ssl != nullptr) { SSL_free(ssl); @@ -1919,3 +1921,20 @@ SSLNetVConnection::set_server_name(std::string_view name) _serverName.reset(n); } } + +void +SSLNetVConnection::set_ca_cert_file(std::string_view file, std::string_view dir) +{ + if (file.size()) { +char *n = new char[file.size() + 1]; +std::memcpy(n, file.data(), file.size()); +n[file.size()] = '\0'; +_ca_cert_file.reset(n); + } + if (dir.size()) { +char *n = new char[dir.size() + 1]; +std::memcpy(n, dir.data(), dir.size()); +n[dir.size()] = '\0'; +_ca_cert_dir.reset(n); + } +} diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc index ffab40b..ec10fc6 100644 --- a/iocore/net/SSLSNIConfig.cc +++ b/iocore/net/SSLSNIConfig.cc @@ -69,7 +69,8 @@ SNIConfigParams::loadSNIConfig()
[trafficserver] 02/03: Additions to enable loading qat_engine (#7150)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 4b62b21f5fa16d9fd833ab64a7dd415d355086f9 Author: Susan Hinrichs AuthorDate: Tue Sep 8 09:05:36 2020 -0500 Additions to enable loading qat_engine (#7150) (cherry picked from commit 2afe843e9df30cf17d863311989284aa9540505e) --- iocore/net/P_SSLNetVConnection.h | 2 ++ iocore/net/SSLNetVConnection.cc | 63 iocore/net/SSLUtils.cc | 52 ++--- 3 files changed, 62 insertions(+), 55 deletions(-) diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index c059e75..240abcd 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -519,6 +519,8 @@ private: // Null-terminated string, or nullptr if there is no SNI server name. std::unique_ptr _serverName; + + EventIO async_ep{}; }; typedef int (SSLNetVConnection::*SSLNetVConnHandler)(int, void *); diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 68c70b6..8fcc263 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -1198,6 +1198,12 @@ SSLNetVConnection::sslServerHandShakeEvent(int ) if (BIO_eof(SSL_get_rbio(this->ssl))) { // No more data in the buffer // Is this the first read? if (!this->handShakeReader->is_read_avail_more_than(0) && !this->handShakeHolder->is_read_avail_more_than(0)) { +#if TS_USE_TLS_ASYNC +if (SSLConfigParams::async_handshake_enabled) { + SSL_set_mode(ssl, SSL_MODE_ASYNC); +} +#endif + Debug("ssl", "%p first read\n", this); // Read from socket to fill in the BIO buffer with the // raw handshake data before calling the ssl accept calls. @@ -1223,42 +1229,30 @@ SSLNetVConnection::sslServerHandShakeEvent(int ) } // Still data in the BIO } -#if TS_USE_TLS_ASYNC - if (SSLConfigParams::async_handshake_enabled) { -SSL_set_mode(ssl, SSL_MODE_ASYNC); - } -#endif ssl_error_t ssl_error = SSLAccept(ssl); #if TS_USE_TLS_ASYNC if (ssl_error == SSL_ERROR_WANT_ASYNC) { -size_t numfds; -OSSL_ASYNC_FD *waitfds; -// Set up the epoll entry for the signalling -if (SSL_get_all_async_fds(ssl, nullptr, ) && numfds > 0) { - // Allocate space for the waitfd on the stack, should only be one most all of the time - waitfds = reinterpret_cast(alloca(sizeof(OSSL_ASYNC_FD) * numfds)); - if (SSL_get_all_async_fds(ssl, waitfds, ) && numfds > 0) { -// Temporarily disable regular net -this->read.triggered = false; -this->write.triggered = false; -this->ep.stop(); // Modify used in read_disable doesn't work for edge triggered epol -// Have to have the read NetState enabled because we are using it for the signal vc -read.enabled = true; -PollDescriptor *pd = get_PollDescriptor(this_ethread()); -this->ep.start(pd, waitfds[0], static_cast(this), EVENTIO_READ); -this->ep.type = EVENTIO_READWRITE_VC; +// Do we need to set up the async eventfd? Or is it already registered? +if (async_ep.fd < 0) { + size_t numfds; + OSSL_ASYNC_FD *waitfds; + // Set up the epoll entry for the signalling + if (SSL_get_all_async_fds(ssl, nullptr, ) && numfds > 0) { +// Allocate space for the waitfd on the stack, should only be one most all of the time +waitfds = reinterpret_cast(alloca(sizeof(OSSL_ASYNC_FD) * numfds)); +if (SSL_get_all_async_fds(ssl, waitfds, ) && numfds > 0) { + this->read.triggered = false; + this->write.triggered = false; + // Have to have the read NetState enabled because we are using it for the signal vc + read.enabled = true; + PollDescriptor *pd = get_PollDescriptor(this_ethread()); + this->async_ep.start(pd, waitfds[0], static_cast(this), EVENTIO_READ); + this->async_ep.type = EVENTIO_READWRITE_VC; +} } } } else if (SSLConfigParams::async_handshake_enabled) { -// Clean up the epoll entry for signalling -SSL_clear_mode(ssl, SSL_MODE_ASYNC); -this->ep.stop(); -// Reactivate the socket, ready to rock -PollDescriptor *pd = get_PollDescriptor(this_ethread()); -this->ep.start( - pd, this, - EVENTIO_READ | -EVENTIO_WRITE); // Again we must muck with the eventloop directly because of limits with these methods and edge trigger +// Make sure the net fd read vio is in the right state if (ssl_error == SSL_ERROR_WANT_READ) { this->reenable(); this->read.triggered = 1; @@ -1326,7 +1320,14 @@ SSLNetVConnection::sslServerHandShakeEvent(int ) Debug("ssl", "client did not select a next protocol"); } } - +#if TS_USE_TLS_ASYNC +if
[trafficserver] branch 9.0.x updated: RolledLogDeleter: do not sort on each candidate consideration. (#7243)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new effa339 RolledLogDeleter: do not sort on each candidate consideration. (#7243) effa339 is described below commit effa339c01e15767ccfa0ddecec16b3c8985972f Author: Brian Neradt AuthorDate: Wed Oct 7 11:38:39 2020 -0500 RolledLogDeleter: do not sort on each candidate consideration. (#7243) A performance issue was noticed in Docs testing related to the RolledLogDeleter candidates consideration. This fixes the candidate consideration logic to not sort on consideration of every candidate but rather sort after all the candidates have been gathered (if deletion will indeed take place). (cherry picked from commit 75b0fb02477f30b5b977bb9434a5cb6f5c65832f) --- proxy/logging/RolledLogDeleter.cc | 22 +- proxy/logging/RolledLogDeleter.h | 17 +++-- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/proxy/logging/RolledLogDeleter.cc b/proxy/logging/RolledLogDeleter.cc index 1547b50..6c8a6e2 100644 --- a/proxy/logging/RolledLogDeleter.cc +++ b/proxy/logging/RolledLogDeleter.cc @@ -73,6 +73,7 @@ RolledLogDeleter::register_log_type_for_deletion(std::string_view log_type, int deletingInfoList.push_back(std::move(deletingInfo)); deleting_info.insert(deletingInfoPtr); + candidates_require_sorting = true; } bool @@ -86,20 +87,31 @@ RolledLogDeleter::consider_for_candidacy(std::string_view log_path, int64_t file auto = iter->candidates; candidates.push_back(std::make_unique(log_path, file_size, modification_time)); ++num_candidates; - - std::sort( -candidates.begin(), candidates.end(), -[](std::unique_ptr const , std::unique_ptr const ) { return a->mtime > b->mtime; }); - + candidates_require_sorting = true; return true; } +void +RolledLogDeleter::sort_candidates() +{ + deleting_info.apply([](LogDeletingInfo ) { +std::sort(info.candidates.begin(), info.candidates.end(), + [](std::unique_ptr const , std::unique_ptr const ) { +return a->mtime > b->mtime; + }); + }); + candidates_require_sorting = false; +} + std::unique_ptr RolledLogDeleter::take_next_candidate_to_delete() { if (!has_candidates()) { return nullptr; } + if (candidates_require_sorting) { +sort_candidates(); + } // Select the highest priority type (diags.log, traffic.out, etc.) from which // to select a candidate. auto target_type = diff --git a/proxy/logging/RolledLogDeleter.h b/proxy/logging/RolledLogDeleter.h index f03785f..4b607f2 100644 --- a/proxy/logging/RolledLogDeleter.h +++ b/proxy/logging/RolledLogDeleter.h @@ -24,7 +24,7 @@ #pragma once #include -#include +#include #include #include #include @@ -202,13 +202,26 @@ public: void clear_candidates(); private: + /** Sort all the assembled candidates for each LogDeletingInfo. + * + * After any additions to the @a deleting_info, this should be called before + * calling @a take_next_candidate_to_delete because the latter depends upon + * the candidate entries being sorted. + */ + void sort_candidates(); + +private: /** The owning references to the set of LogDeletingInfo added to the below * hash map. */ - std::list> deletingInfoList; + std::deque> deletingInfoList; /** The set of candidates for deletion keyed by log_type. */ IntrusiveHashMap deleting_info; /** The number of tracked candidates. */ size_t num_candidates = 0; + + /** Whether the candidates require sorting due to an addition to the + * deleting_info. */ + bool candidates_require_sorting = true; };
[trafficserver] branch 8.1.x updated: Replace existing autest certs with ones from master. These are considered insecure by more recent versions of openssl and will fail to load (#7244)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new 5494225 Replace existing autest certs with ones from master. These are considered insecure by more recent versions of openssl and will fail to load (#7244) 5494225 is described below commit 5494225b4cf55d3cc1ebc3797b6b563c83d91d75 Author: Evan Zelkowitz AuthorDate: Thu Oct 8 11:47:29 2020 -0600 Replace existing autest certs with ones from master. These are considered insecure by more recent versions of openssl and will fail to load (#7244) Update microserver crt and pem files Modify microserver certs to be 2048 --- tests/gold_tests/chunked_encoding/ssl/server.key | 43 +- tests/gold_tests/chunked_encoding/ssl/server.pem | 49 ++- tests/gold_tests/continuations/ssl/server.key| 43 +- tests/gold_tests/continuations/ssl/server.pem| 49 ++- tests/gold_tests/h2/ssl/server.key | 43 +- tests/gold_tests/h2/ssl/server.pem | 49 ++- tests/gold_tests/remap/ssl/server.key| 43 +- tests/gold_tests/remap/ssl/server.pem| 49 ++- tests/gold_tests/tls/ssl/server.key | 43 +- tests/gold_tests/tls/ssl/server.pem | 49 ++- tests/gold_tests/tls_hooks/ssl/server.key| 43 +- tests/gold_tests/tls_hooks/ssl/server.pem| 49 ++- tests/tools/microserver/ssl/server.crt | 33 +- tests/tools/microserver/ssl/server.pem | 76 ++-- 14 files changed, 346 insertions(+), 315 deletions(-) diff --git a/tests/gold_tests/chunked_encoding/ssl/server.key b/tests/gold_tests/chunked_encoding/ssl/server.key index 4c7a661..9cdfc36 100644 --- a/tests/gold_tests/chunked_encoding/ssl/server.key +++ b/tests/gold_tests/chunked_encoding/ssl/server.key @@ -1,15 +1,28 @@ --BEGIN RSA PRIVATE KEY- -MIICXQIBAAKBgQDWMHOiUF+ORmZjAxI8MWE9dblb7gQSJ36WCXlPFiFx6ynF+S1E -kXAYpIip5X0pzDUaIbLukxJUAAnOtMEO0PCgxJQUrEtRWh8wiJdbdQJF0Zs/9R+u -SUgb61f+mdTQvhqefBGx+xrpfAcgtcWiZuSA9Q3fvpDj5WOWSPWXBUuxywIDAQAB -AoGBAJPxRX2gjFAGWmQbU/YVmXfNH6navh8X/nx9sLeqrpE0AFeJI/ZPiqDKzMal -B43eSfNxwVi+ZxN0L1ICUbL9KKZvHs/QBxWLA1fGVAXrz7sRplEVvakPpTfHoEnv -sKaMWVKaK/S5WGbDhElb6zb/Lwo19DsIAPjGYqFvzFJBmobJAkEA9iSeTGkR9X26 -GywZoYrIMlRh34htOIRx1UUq88rFzdrCF21kQ4lhBIkX5OZMMy652i2gyak4OZTe -YewIv8jw9QJBAN7EQNHG8jPwXfVp91/fqxVQEfumuP2i6uiWWYQgZCmla2+0xcLZ -pMQ6sQEe10hhTrVnzHgAUVp50Ntn2jwBX78CQF09veGAI9d1Cxzj9cmmAvRd1r2Q -tp8kPOLnUsALXib+6WtqewLCdcf8DtsdClyRJMIraq85tRzK8fryKNZNzkkCQEgA -yS7FDj5JgCU15hZgFk1iPx3HCt44jZM2HaL+UUHAzRQjKxTLAl3G1rWVAWLMyQML -lORoveLvotl4HOruSsMCQQCAx9dV9JUSFoyc1CWILp/FgUH/se4cjQCThGO0DoQQ -vGTYmntY7j9WRJ9esQrjdD6Clw8zM/45GIBNwnXzqo7Z --END RSA PRIVATE KEY- +-BEGIN PRIVATE KEY- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCZkEXSlZ+ZFKFg +CPpcDG39e73BuK6E5uE38q2PHh4DV0xcsJnIUx51viqLPwYughxfP0crHyBdXoHV +dW/3WX4gpiGrdiM/dvCouheo0DPaqUUJ2nZKVYh2M57oyeiuJidlKb7BGkfw3HWP +9TV7dVyGWok/cowjopqaLHJWxg/kh2KqvUBD0CHt9Kd1XvgXVmHwE7vCv0j5owv2 +MaExTsFb16uWmVLhl1gNHI2RqCX2yLaebH1DvtbLrit1XErjtaSYeJE9clVRaqT6 +vsvLOhyB5tA9WfZqfBYr/MHDeXQfrbIf+4Cp3aTpq5grc5InIMMH0eOk6/f/4tW+ +nq1lfszZAgMBAAECggEAYvYAqRbXRRVwca0Xel5gO2yU+tSDUw5esWlow8RK3yhR +A6KjV9+Iz6P/UsEIwMwEcLUcrgNfHgybau5Fe4dmqq+lHxQA3xNNP869FIMoB4/x +98mbVYgNau8VRztnAWOBG8ZtMZA4MFZCRMVm8+rL96E8tXCiMwzEyPo/rP/ymfhN +3GRunX+GhfIA79AYNbd7HMVL+cvWWUGUF5Bc5i1wXcLy4I7b9NYtv920BeCLzSFK +BypFB7ku/vKgTcBxe4yxThxPeXPwm4WFzGYKk/Afl1j8tVXCE2U4Y3yykfC0Qk6S +ECZbCKLO2Rxi9fclIDZBHWuKejZhdjHfjeNvZ2vLoQKBgQDJzLmkVLvWAxgl1yvF +U7gwqj/TzYqtVowbjEvTNEnPU1j/hIVI343SVV/EvJmif/iRUop6sRYfLsUjpMsH +CmPysNKL3UtgSYOxLs+0xLhG4OOQRpPSf/uvl9YyWY9G3AqiC7ScthkQjEhZa4c1 +eycYy0jr42kX0OL9MuIH9q0ENQKBgQDCzvGKMs8r5E/Qd3YB9VYB60dx+6G83AHZ +YqIelykObhCdxL9n4K+p4VKKLvgTcCOLYYIkBSWRJWR+ue3s3ey9+XWd2/q4Xvfh +TCjAuO2ibMV+y5ClNlW0fQ/doIVWSDbjO2tZW1jh7YWZ4CtuVrsEisv1sk3KltMB +MguhpTUylQKBgG6TfrncMFzxrx61C+gBmvEXqQffHfkjbnx94OKnSTaQ3jiNHhez +X9v8KhD8o1bWtpay2uyl8pA9qYqBdzqxZ9kJKSW4qd/mCIJjOy87iBpWint5IPD8 +biZmldlbF9ZlJnJq5ZnlclCN/er5r8oPZHoCkj+nieOh8294nUBt25ptAoGAMnPA +EIeaKgbmONpHgLhWPwb9KOL/f1cHT5KA5CVH58nPmdyTqcaCGCAX7Vu+ueIIApgN +SWDf2thxT3S9zuOm5YiO0oRfSZKm5f2AbHE4ciFzgKQd4PvSdH0TN9XT0oW/WVhR +NAI5YcHPIQvyk4/4vXNo4Uf9Z6NqIFwisQmFXoUCgYBK/ZI/HsFsvnR5MV0tFdGM +AdNe6bsQRSZkowoaPxuWbklE4Hn6QvwEmQg3ST2O+vCQV1f1yI6YiWYoptOYscJc +MSs/HxhhaaO5ZsiuPUO6WEPzpNb2CxuIGDDtl83VtUQyjxCmOb6pqqjwzFmZ2bsw +JNMaBCzokrJTxknvauCuSQ== +-END PRIVATE KEY- diff --git a/tests/gold_tests/chunked_encoding/ssl/server.pem b/tests/gold_tests/chunked_encoding/ssl/server.pem index 3584a2e..2b56cc8 100644 --- a/tests/gold_tests/chunked_encoding/ssl/server.pem +++
[trafficserver] branch master updated (ef29798 -> e6e6ca2)
This is an automated email from the ASF dual-hosted git repository. amc pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from ef29798 Fix test_error_page_selection memory leaks and logic errors (#7248) add e6e6ca2 Remove useless if for port set assertion. (#7250) No new revisions were added by this update. Summary of changes: proxy/http/HttpSM.cc | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-)
[trafficserver] branch master updated (cb4ff10 -> ef29798)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from cb4ff10 [multiplexer] option to skip post/put requests (#7233) add ef29798 Fix test_error_page_selection memory leaks and logic errors (#7248) No new revisions were added by this update. Summary of changes: proxy/http/unit_tests/test_error_page_selection.cc | 108 - 1 file changed, 60 insertions(+), 48 deletions(-)
[trafficserver] branch master updated (eea8c55 -> cb4ff10)
This is an automated email from the ASF dual-hosted git repository. rrm pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from eea8c55 Incorporates the latest CI build changes (#7251) add cb4ff10 [multiplexer] option to skip post/put requests (#7233) No new revisions were added by this update. Summary of changes: doc/admin-guide/plugins/multiplexer.en.rst | 4 +- plugins/multiplexer/ats-multiplexer.cc | 69 ++ plugins/multiplexer/dispatch.h | 1 + 3 files changed, 45 insertions(+), 29 deletions(-)