From: William Lallemand Date: Mon, 30 Mar 2020 17:29:45 +0000 (+0200) Subject: MINOR: ssl/cli: update pointer to store in 'commit ssl cert' X-Git-Tag: v2.2-dev6~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=90afe90681badedadb8ec486b371a2870e6eb448;p=thirdparty%2Fhaproxy.git MINOR: ssl/cli: update pointer to store in 'commit ssl cert' The crtlist_entry structure use a pointer to the store as key. That's a problem with the dynamic update of a certificate over the CLI, because it allocates a new ckch_store. So updating the pointers is needed. To achieve that, a linked list of the crtlist_entry was added in the ckch_store, so it's easy to iterate on this list to update the pointers. Another solution would have been to rework the system so we don't allocate a new ckch_store, but it requires a rework of the ckch code. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d6f8e67725..b842d3039f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -11489,6 +11489,7 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) struct ckch_inst *ckchi, *ckchis; struct buffer *trash = alloc_trash_chunk(); struct sni_ctx *sc0, *sc0s; + struct crtlist_entry *entry; if (trash == NULL) goto error; @@ -11589,6 +11590,15 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) if (!new_ckchs) continue; + /* get the list of crtlist_entry in the old store, and update the pointers to the store */ + LIST_SPLICE(&new_ckchs->crtlist_entry, &old_ckchs->crtlist_entry); + list_for_each_entry(entry, &new_ckchs->crtlist_entry, by_ckch_store) { + ebpt_delete(&entry->node); + /* change the ptr and reinsert the node */ + entry->node.key = new_ckchs; + ebpt_insert(&entry->crtlist->entries, &entry->node); + } + /* First, we insert every new SNIs in the trees, also replace the default_ctx */ list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) { HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);