mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

CLEANUP: ssl/cli: do not loop on unknown states in "add ssl crt-list" handler

Browse Source 
The io_handler in "add ssl crt_list" is built around a "while" loop that
only makes forward progress and that doesn't handle its final state as
it's not supposed to be called again once reached. This makes the code
confusing because its construct implies an infinite loop for such a
state (or any other unhandled one). Let's just remove that unneeded loop.
This commit is contained in:
Willy Tarreau 2022-05-05 13:50:46 +02:00
parent 4fd9b4ddf0
commit 1b948ef426
1 changed files with 50 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
src/ssl_crtlist.c
View File

@ -1061,68 +1061,64 @@ static int cli_io_handler_add_crtlist(struct appctx *appctx)
if (unlikely(cs_ic(cs)->flags & (CF_WRITE_ERROR|CF_SHUTW))) if (unlikely(cs_ic(cs)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
goto error; goto error;
while (1) { switch (appctx->st2) {
switch (appctx->st2) { case SETCERT_ST_INIT:
case SETCERT_ST_INIT: /* This state just print the update message */
/* This state just print the update message */ chunk_printf(trash, "Inserting certificate '%s' in crt-list '%s'", store->path, crtlist->node.key);
chunk_printf(trash, "Inserting certificate '%s' in crt-list '%s'", store->path, crtlist->node.key); if (ci_putchk(cs_ic(cs), trash) == -1) {
if (ci_putchk(cs_ic(cs), trash) == -1) { cs_rx_room_blk(cs);
cs_rx_room_blk(cs); goto yield;
goto yield; }
} appctx->st2 = SETCERT_ST_GEN;
appctx->st2 = SETCERT_ST_GEN; /* fallthrough */
/* fallthrough */ case SETCERT_ST_GEN:
case SETCERT_ST_GEN: bind_conf_node = appctx->ctx.cli.p2; /* get the previous ptr from the yield */
bind_conf_node = appctx->ctx.cli.p2; /* get the previous ptr from the yield */ if (bind_conf_node == NULL)
if (bind_conf_node == NULL) bind_conf_node = crtlist->bind_conf;
bind_conf_node = crtlist->bind_conf; for (; bind_conf_node; bind_conf_node = bind_conf_node->next) {
for (; bind_conf_node; bind_conf_node = bind_conf_node->next) { struct bind_conf *bind_conf = bind_conf_node->bind_conf;
struct bind_conf *bind_conf = bind_conf_node->bind_conf; struct sni_ctx *sni;
struct sni_ctx *sni;
/* yield every 10 generations */ /* yield every 10 generations */
if (i > 10) { if (i > 10) {
appctx->ctx.cli.p2 = bind_conf_node; appctx->ctx.cli.p2 = bind_conf_node;
goto yield; goto yield;
} }
/* we don't support multi-cert bundles, only simple ones */ /* we don't support multi-cert bundles, only simple ones */
errcode |= ckch_inst_new_load_store(store->path, store, bind_conf, entry->ssl_conf, entry->filters, entry->fcount, &new_inst, &err); errcode |= ckch_inst_new_load_store(store->path, store, bind_conf, entry->ssl_conf, entry->filters, entry->fcount, &new_inst, &err);
if (errcode & ERR_CODE)
goto error;
/* we need to initialize the SSL_CTX generated */
/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
list_for_each_entry(sni, &new_inst->sni_ctx, by_ckch_inst) {
if (!sni->order) { /* we initialized only the first SSL_CTX because it's the same in the other sni_ctx's */
errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, new_inst->ssl_conf, sni->ctx, sni->ckch_inst, &err);
if (errcode & ERR_CODE) if (errcode & ERR_CODE)
goto error; goto error;
/* we need to initialize the SSL_CTX generated */
/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
list_for_each_entry(sni, &new_inst->sni_ctx, by_ckch_inst) {
if (!sni->order) { /* we initialized only the first SSL_CTX because it's the same in the other sni_ctx's */
errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, new_inst->ssl_conf, sni->ctx, sni->ckch_inst, &err);
if (errcode & ERR_CODE)
goto error;
}
}
/* display one dot for each new instance */
chunk_appendf(trash, ".");
i++;
LIST_APPEND(&store->ckch_inst, &new_inst->by_ckchs);
LIST_APPEND(&entry->ckch_inst, &new_inst->by_crtlist_entry);
new_inst->crtlist_entry = entry;
} }
appctx->st2 = SETCERT_ST_INSERT; }
/* fallthrough */ /* display one dot for each new instance */
case SETCERT_ST_INSERT: chunk_appendf(trash, ".");
/* insert SNIs in bind_conf */ i++;
list_for_each_entry(new_inst, &store->ckch_inst, by_ckchs) { LIST_APPEND(&store->ckch_inst, &new_inst->by_ckchs);
HA_RWLOCK_WRLOCK(SNI_LOCK, &new_inst->bind_conf->sni_lock); LIST_APPEND(&entry->ckch_inst, &new_inst->by_crtlist_entry);
ssl_sock_load_cert_sni(new_inst, new_inst->bind_conf); new_inst->crtlist_entry = entry;
HA_RWLOCK_WRUNLOCK(SNI_LOCK, &new_inst->bind_conf->sni_lock);
}
entry->linenum = ++crtlist->linecount;
appctx->st2 = SETCERT_ST_FIN;
goto end;
} }
appctx->st2 = SETCERT_ST_INSERT;
/* fallthrough */
case SETCERT_ST_INSERT:
/* insert SNIs in bind_conf */
list_for_each_entry(new_inst, &store->ckch_inst, by_ckchs) {
HA_RWLOCK_WRLOCK(SNI_LOCK, &new_inst->bind_conf->sni_lock);
ssl_sock_load_cert_sni(new_inst, new_inst->bind_conf);
HA_RWLOCK_WRUNLOCK(SNI_LOCK, &new_inst->bind_conf->sni_lock);
}
entry->linenum = ++crtlist->linecount;
appctx->st2 = SETCERT_ST_FIN;
} }
end:
chunk_appendf(trash, "\n"); chunk_appendf(trash, "\n");
if (errcode & ERR_WARN) if (errcode & ERR_WARN)
chunk_appendf(trash, "%s", err); chunk_appendf(trash, "%s", err);