diff --git a/common/include/tfe_proxy.h b/common/include/tfe_proxy.h index 2f4a7d0..5ed8268 100644 --- a/common/include/tfe_proxy.h +++ b/common/include/tfe_proxy.h @@ -17,3 +17,4 @@ int tfe_proxy_ssl_del_trust_ca(const char* pem_file); int tfe_proxy_ssl_add_crl(const char* pem_file); int tfe_proxy_ssl_del_crl(const char* pem_file); void tfe_proxy_ssl_reset_trust_ca(); +void tfe_proxy_ssl_reset_trust_ca_finish(void); diff --git a/platform/include/internal/ssl_stream_core.h b/platform/include/internal/ssl_stream_core.h index ae03aa1..6be60e6 100644 --- a/platform/include/internal/ssl_stream_core.h +++ b/platform/include/internal/ssl_stream_core.h @@ -50,5 +50,4 @@ int ssl_manager_del_trust_ca(struct ssl_mgr* mgr, const char* pem_file); int ssl_manager_add_crl(struct ssl_mgr* mgr, const char* pem_file); int ssl_manager_del_crl(struct ssl_mgr* mgr, const char* pem_file); void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr); - - +void ssl_manager_reset_trust_ca_finish(struct ssl_mgr *mgr); diff --git a/platform/include/internal/ssl_trusted_cert_storage.h b/platform/include/internal/ssl_trusted_cert_storage.h index d85d495..250e3f4 100644 --- a/platform/include/internal/ssl_trusted_cert_storage.h +++ b/platform/include/internal/ssl_trusted_cert_storage.h @@ -32,5 +32,4 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename); int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename); void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage); - - +void ssl_trusted_cert_storage_reset_finish(struct ssl_trusted_cert_storage *storage); diff --git a/platform/src/proxy.cpp b/platform/src/proxy.cpp index 188ad28..9f2d018 100644 --- a/platform/src/proxy.cpp +++ b/platform/src/proxy.cpp @@ -934,4 +934,8 @@ void tfe_proxy_ssl_reset_trust_ca(void) return; } - +void tfe_proxy_ssl_reset_trust_ca_finish(void) +{ + ssl_manager_reset_trust_ca_finish(g_default_proxy->ssl_mgr_handler); + return; +} \ No newline at end of file diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 4b70c8d..e30cc5b 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -2090,6 +2090,11 @@ void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr) ssl_trusted_cert_storage_reset(mgr->trust_CA_store); return; } +void ssl_manager_reset_trust_ca_finish(struct ssl_mgr* mgr) +{ + ssl_trusted_cert_storage_reset_finish(mgr->trust_CA_store); + return; +} int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int opt_val) { struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param); diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index f751579..051ec8d 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -19,6 +19,13 @@ struct ssl_X509_object char* filename; enum ssl_X509_obj_type type; }; + +enum cert_store_status +{ + UPDATING, + STABLE, +}; + static void free_ssl_x509_obj(void* data) { struct ssl_X509_object* obj=(struct ssl_X509_object*)data; @@ -28,11 +35,14 @@ static void free_ssl_x509_obj(void* data) } struct ssl_trusted_cert_storage { + enum cert_store_status status; struct cert_store_param param; char* pem_bundle, *pem_dir; MESA_htable_handle hash_table; - pthread_rwlock_t rwlock; - X509_STORE* effective_store; + MESA_htable_handle temp_table; + pthread_rwlock_t rwlock; + X509_STORE *effective_store; + X509_STORE *temp_store; }; static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type type, const char* filename) { @@ -194,9 +204,8 @@ struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem pthread_rwlock_init(&(storage->rwlock), NULL); assert(SSL_EX_DATA_IDX_VERIFY_PARAM<0); SSL_EX_DATA_IDX_VERIFY_PARAM = X509_STORE_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); + storage->status = STABLE; return storage; - - } void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage) { @@ -210,14 +219,28 @@ int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum int ret=0; struct ssl_X509_object* obj=NULL; void* data=NULL; - pthread_rwlock_wrlock(&(storage->rwlock)); - data=MESA_htable_search(storage->hash_table, (const unsigned char*)filename, strlen(filename)); + MESA_htable_handle hash_table = NULL; + X509_STORE *effective_store = NULL; + + pthread_rwlock_wrlock(&(storage->rwlock)); + if (storage->status == UPDATING) + { + hash_table = storage->temp_table; + effective_store = storage->temp_store; + } + else + { + hash_table = storage->hash_table; + effective_store = storage->effective_store; + } + + data = MESA_htable_search(hash_table, (const unsigned char *)filename, strlen(filename)); if(data!=NULL)//duplicated { ret=-1; goto error_out; } - ret=_X509_add_cert_or_crl_add(storage->effective_store, type, filename); + ret=_X509_add_cert_or_crl_add(effective_store, type, filename); if(ret<0) { ret=-1; @@ -228,10 +251,11 @@ int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum obj=ALLOC(struct ssl_X509_object, 1); obj->type=SSL_X509_OBJ_CERT; obj->filename=tfe_strdup(filename); - ret=MESA_htable_add(storage->hash_table, (const unsigned char*)obj->filename, strlen(obj->filename), obj); + ret=MESA_htable_add(hash_table, (const unsigned char*)obj->filename, strlen(obj->filename), obj); assert(ret>0); ret=1; - + TFE_LOG_DEBUG(g_default_logger, "%s %p add %s", storage->status == UPDATING ? "temp store" : "effective store", effective_store, filename); + error_out: pthread_rwlock_unlock(&(storage->rwlock)); return ret; @@ -249,18 +273,42 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum { int ret=0; X509_STORE* temp_store=NULL; - pthread_rwlock_wrlock(&(storage->rwlock)); - ret=MESA_htable_del(storage->hash_table, (const unsigned char*)filename, strlen(filename), NULL); + MESA_htable_handle hash_table = NULL; + X509_STORE *effective_store = NULL; + + pthread_rwlock_wrlock(&(storage->rwlock)); + if (storage->status == UPDATING) + { + hash_table = storage->temp_table; + effective_store = storage->temp_store; + } + else + { + hash_table = storage->hash_table; + effective_store = storage->effective_store; + } + + ret=MESA_htable_del(hash_table, (const unsigned char*)filename, strlen(filename), NULL); if(ret<0) { ret=-1; goto error_out; } temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); - MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store); - X509_STORE_free(storage->effective_store); - storage->effective_store=temp_store; - ret=1; + MESA_htable_iterate(hash_table, cert_storage_htable_traverse_cb, temp_store); + X509_STORE_free(effective_store); + TFE_LOG_DEBUG(g_default_logger, "%s %p->%p del %s", storage->status == UPDATING ? "temp store" : "effective store", effective_store, temp_store, filename); + + if (storage->status == UPDATING) + { + storage->temp_store = temp_store; + } + else + { + storage->effective_store = temp_store; + } + + ret=1; error_out: pthread_rwlock_unlock(&(storage->rwlock)); @@ -268,19 +316,28 @@ error_out: } void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage) { - - X509_STORE* temp_store=NULL; - MESA_htable_destroy(storage->hash_table, NULL); - - storage->hash_table=_create_mesa_htable(); - temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); - pthread_rwlock_wrlock(&(storage->rwlock)); - X509_STORE_free(storage->effective_store); - storage->effective_store=temp_store; - pthread_rwlock_unlock(&(storage->rwlock)); - return; + storage->temp_table = _create_mesa_htable(); + storage->temp_store = _X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); + storage->status = UPDATING; + TFE_LOG_DEBUG(g_default_logger, "reset effective store %p, create temp store %p", storage->effective_store, storage->temp_store); + pthread_rwlock_unlock(&(storage->rwlock)); } + +void ssl_trusted_cert_storage_reset_finish(struct ssl_trusted_cert_storage *storage) +{ + pthread_rwlock_wrlock(&(storage->rwlock)); + MESA_htable_destroy(storage->hash_table, NULL); + X509_STORE_free(storage->effective_store); + storage->effective_store = storage->temp_store; + storage->hash_table = storage->temp_table; + storage->temp_table = NULL; + storage->temp_store = NULL; + storage->status = STABLE; + TFE_LOG_DEBUG(g_default_logger, "change temp store to effective store %p", storage->effective_store); + pthread_rwlock_unlock(&(storage->rwlock)); +} + static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { int err=0, ret=0; diff --git a/plugin/business/pangu-http/src/pangu_http.cpp b/plugin/business/pangu-http/src/pangu_http.cpp index 17b7f17..058fa8e 100644 --- a/plugin/business/pangu-http/src/pangu_http.cpp +++ b/plugin/business/pangu-http/src/pangu_http.cpp @@ -288,7 +288,8 @@ void trusted_CA_update_finish_cb(void* u_para) g_pangu_rt->ca_store_reseting--; if(g_pangu_rt->ca_store_reseting==0) { - TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Finish."); + tfe_proxy_ssl_reset_trust_ca_finish(); + TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Finish."); } } }