mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

CLEANUP: ssl/cli: use a local context for "commit ssl cert"

Browse Source 
This command only really uses old_ckchs, new_ckchs and next_ckchi
from the appctx's ssl context. The new structure "commit_cert_ctx"
only has these 3 fields, though none could be removed from the shared
ssl context since they're still used by other commands.
This commit is contained in:
Willy Tarreau 2022-05-04 19:58:00 +02:00
parent 96c9a6c752
commit a645b6a21f
1 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/ssl_ckch.c
View File

@ -84,6 +84,13 @@ struct show_cert_ctx {
int transaction; int transaction;
}; };
/* CLI context used by "commit cert" */
struct commit_cert_ctx {
struct ckch_store *old_ckchs;
struct ckch_store *new_ckchs;
struct ckch_inst *next_ckchi;
};
/******************** cert_key_and_chain functions ************************* /******************** cert_key_and_chain functions *************************
@ -1822,13 +1829,14 @@ error:
/* release function of the `set ssl cert' command, free things and unlock the spinlock */ /* release function of the `set ssl cert' command, free things and unlock the spinlock */
static void cli_release_commit_cert(struct appctx *appctx) static void cli_release_commit_cert(struct appctx *appctx)
{ {
struct commit_cert_ctx *ctx = appctx->svcctx;
struct ckch_store *new_ckchs; struct ckch_store *new_ckchs;
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock); HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
if (appctx->st2 != SETCERT_ST_FIN) { if (appctx->st2 != SETCERT_ST_FIN) {
/* free every new sni_ctx and the new store, which are not in the trees so no spinlock there */ /* free every new sni_ctx and the new store, which are not in the trees so no spinlock there */
new_ckchs = appctx->ctx.ssl.new_ckchs; new_ckchs = ctx->new_ckchs;
/* if the allocation failed, we need to free everything from the temporary list */ /* if the allocation failed, we need to free everything from the temporary list */
ckch_store_free(new_ckchs); ckch_store_free(new_ckchs);
@ -1994,6 +2002,7 @@ void ckch_store_replace(struct ckch_store *old_ckchs, struct ckch_store *new_ckc
*/ */
static int cli_io_handler_commit_cert(struct appctx *appctx) static int cli_io_handler_commit_cert(struct appctx *appctx)
{ {
struct commit_cert_ctx *ctx = appctx->svcctx;
struct conn_stream *cs = appctx->owner; struct conn_stream *cs = appctx->owner;
int y = 0; int y = 0;
char *err = NULL; char *err = NULL;
@ -2027,14 +2036,14 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
* yield every 10 instances. * yield every 10 instances.
*/ */
old_ckchs = appctx->ctx.ssl.old_ckchs; old_ckchs = ctx->old_ckchs;
new_ckchs = appctx->ctx.ssl.new_ckchs; new_ckchs = ctx->new_ckchs;
if (!new_ckchs) if (!new_ckchs)
continue; continue;
/* get the next ckchi to regenerate */ /* get the next ckchi to regenerate */
ckchi = appctx->ctx.ssl.next_ckchi; ckchi = ctx->next_ckchi;
/* we didn't start yet, set it to the first elem */ /* we didn't start yet, set it to the first elem */
if (ckchi == NULL) if (ckchi == NULL)
ckchi = LIST_ELEM(old_ckchs->ckch_inst.n, typeof(ckchi), by_ckchs); ckchi = LIST_ELEM(old_ckchs->ckch_inst.n, typeof(ckchi), by_ckchs);
@ -2046,7 +2055,7 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
/* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */ /* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
if (y >= 10) { if (y >= 10) {
/* save the next ckchi to compute */ /* save the next ckchi to compute */
appctx->ctx.ssl.next_ckchi = ckchi; ctx->next_ckchi = ckchi;
goto yield; goto yield;
} }
@ -2064,8 +2073,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
case SETCERT_ST_INSERT: case SETCERT_ST_INSERT:
/* The generation is finished, we can insert everything */ /* The generation is finished, we can insert everything */
old_ckchs = appctx->ctx.ssl.old_ckchs; old_ckchs = ctx->old_ckchs;
new_ckchs = appctx->ctx.ssl.new_ckchs; new_ckchs = ctx->new_ckchs;
if (!new_ckchs) if (!new_ckchs)
continue; continue;
@ -2117,6 +2126,7 @@ error:
*/ */
static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appctx, void *private) static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appctx, void *private)
{ {
struct commit_cert_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
char *err = NULL; char *err = NULL;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
@ -2153,9 +2163,9 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc
/* init the appctx structure */ /* init the appctx structure */
appctx->st2 = SETCERT_ST_INIT; appctx->st2 = SETCERT_ST_INIT;
appctx->ctx.ssl.next_ckchi = NULL; ctx->next_ckchi = NULL;
appctx->ctx.ssl.new_ckchs = ckchs_transaction.new_ckchs; ctx->new_ckchs = ckchs_transaction.new_ckchs;
appctx->ctx.ssl.old_ckchs = ckchs_transaction.old_ckchs; ctx->old_ckchs = ckchs_transaction.old_ckchs;
/* we don't unlock there, it will be unlock after the IO handler, in the release handler */ /* we don't unlock there, it will be unlock after the IO handler, in the release handler */
return 0; return 0;