This is an automated email from the ASF dual-hosted git repository. masaori pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new e6231b3 Changed client context mapping to 2-level. Tested against a TLS server to verify client context is created and found. e6231b3 is described below commit e6231b3faecafffa84f72bd3a82bcaf974b86a31 Author: dyrock <zeyu...@gmail.com> AuthorDate: Thu Feb 21 17:06:41 2019 -0600 Changed client context mapping to 2-level. Tested against a TLS server to verify client context is created and found. --- iocore/net/P_SSLConfig.h | 10 +++++---- iocore/net/SSLConfig.cc | 54 +++++++++++++++++++++++++++++++++++++----------- 2 files changed, 48 insertions(+), 16 deletions(-) diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index df17866..14b7b9f 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -120,10 +120,12 @@ struct SSLConfigParams : public ConfigInfo { SSL_CTX *client_ctx; - // Making this mutable since this is a updatable - // cache on an otherwise immutable config object - // The ctx_map owns the client SSL_CTX objects and is responseible for cleaning them up - mutable std::unordered_map<std::string, SSL_CTX *> ctx_map; + // Client contexts are held by 2-level map: + // The first level maps from CA bundle file&path to next level map; + // The second level maps from cert&key to actual SSL_CTX; + // The second level map owns the client SSL_CTX objects and is responsible for cleaning them up + using CTX_MAP = std::unordered_map<std::string, SSL_CTX *>; + mutable std::unordered_map<std::string, CTX_MAP *> top_level_ctx_map; mutable ink_mutex ctxMapLock; SSL_CTX *getClientSSL_CTX(void) const; diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 1fd1955..26a65a4 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -670,12 +670,26 @@ SSL_CTX * SSLConfigParams::getCTX(const char *client_cert, const char *key_file, const char *ca_bundle_file, const char *ca_bundle_path) const { SSL_CTX *client_ctx = nullptr; - std::string key; - ts::bwprint(key, "{}:{}:{}:{}", client_cert, key_file, ca_bundle_file, ca_bundle_path); + CTX_MAP *ctx_map = nullptr; + std::string top_level_key, ctx_key; + ts::bwprint(top_level_key, "{}:{}", ca_bundle_file, ca_bundle_path); + ts::bwprint(ctx_key, "{}:{}", client_cert, key_file, ca_bundle_file, ca_bundle_path); ink_mutex_acquire(&ctxMapLock); - auto iter = ctx_map.find(key); - if (iter != ctx_map.end()) { + // Do first level searching and create new CTX_MAP as second level if not exists. + auto top_iter = top_level_ctx_map.find(top_level_key); + if (top_iter != top_level_ctx_map.end()) { + if (top_iter->second == nullptr) { + top_iter->second = new CTX_MAP; + } + ctx_map = top_iter->second; + } else { + ctx_map = new CTX_MAP; + top_level_ctx_map.insert(std::make_pair(top_level_key, ctx_map)); + } + // Do second level searching and return client ctx if found + auto iter = ctx_map->find(ctx_key); + if (iter != ctx_map->end()) { client_ctx = iter->second; ink_mutex_release(&ctxMapLock); return client_ctx; @@ -717,12 +731,22 @@ SSLConfigParams::getCTX(const char *client_cert, const char *key_file, const cha } ink_mutex_acquire(&ctxMapLock); - iter = ctx_map.find(key); - if (iter != ctx_map.end()) { + top_iter = top_level_ctx_map.find(top_level_key); + if (top_iter != top_level_ctx_map.end()) { + if (top_iter->second == nullptr) { + top_iter->second = new CTX_MAP; + } + ctx_map = top_iter->second; + } else { + ctx_map = new CTX_MAP; + top_level_ctx_map.insert(std::make_pair(top_level_key, ctx_map)); + } + iter = ctx_map->find(ctx_key); + if (iter != ctx_map->end()) { SSL_CTX_free(client_ctx); client_ctx = iter->second; } else { - ctx_map.insert(std::make_pair(key, client_ctx)); + ctx_map->insert(std::make_pair(ctx_key, client_ctx)); } ink_mutex_release(&ctxMapLock); return client_ctx; @@ -738,11 +762,17 @@ void SSLConfigParams::cleanupCTXTable() { ink_mutex_acquire(&ctxMapLock); - auto iter = ctx_map.begin(); - while (iter != ctx_map.end()) { - SSL_CTX_free(iter->second); - ++iter; + CTX_MAP *ctx_map = nullptr; + for (auto &top_pair : top_level_ctx_map) { + ctx_map = top_pair.second; + if (ctx_map) { + for (auto &pair : (*ctx_map)) { + SSL_CTX_free(pair.second); + } + ctx_map->clear(); + delete ctx_map; + } } - ctx_map.clear(); + top_level_ctx_map.clear(); ink_mutex_release(&ctxMapLock); }