Skip to content

Commit

Permalink
Automatically check for updates in secure context
Browse files Browse the repository at this point in the history
Signed-off-by: Gavin Halliday <gavin.halliday@lexisnexis.com>
  • Loading branch information
ghalliday committed Oct 13, 2023
1 parent 19b47ed commit d1682e4
Showing 1 changed file with 43 additions and 6 deletions.
49 changes: 43 additions & 6 deletions system/security/securesocket/securesocket.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1271,6 +1271,7 @@ static bool setVerifyCertsPEMBuffer(SSL_CTX *ctx, const char *caCertBuf, int caC
class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
{
private:
SecureSocketType sockettype;
OwnedSSLCTX m_ctx;
#if (OPENSSL_VERSION_NUMBER > 0x00909000L)
const SSL_METHOD* m_meth = nullptr;
Expand All @@ -1282,6 +1283,9 @@ class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
bool m_address_match = false;
Owned<CStringSet> m_peers;
StringAttr password;
CriticalSection cs;
Owned<const ISyncedPropertyTree> syncedConfig;
unsigned configVersion = 0;

void setSessionIdContext()
{
Expand Down Expand Up @@ -1352,8 +1356,7 @@ class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
throw makeStringExceptionV(-1, "Error loading CA certificates from %s", caCertsPathOrBuf);
}

public:
CSecureSocketContext(const IPropertyTree* config, SecureSocketType sockettype)
void createNewContext(const IPropertyTree* config)
{
initContext(sockettype);

Expand Down Expand Up @@ -1444,13 +1447,49 @@ class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
SSL_CTX_set_mode(m_ctx, SSL_CTX_get_mode(m_ctx) | SSL_MODE_AUTO_RETRY);
}

void checkForUpdatedContext()
{
//Check if a new context should be created - it must be called within a critical section
if (syncedConfig)
{
unsigned activeVersion = syncedConfig->getVersion();
if (activeVersion != configVersion)
{
configVersion = activeVersion;
Owned<const IPropertyTree> config = syncedConfig->getTree();
createNewContext(config);
}
}
}

public:
CSecureSocketContext(const IPropertyTree* config, SecureSocketType _sockettype) : sockettype(_sockettype)
{
createNewContext(config);
}

CSecureSocketContext(const ISyncedPropertyTree* _syncedConfig, SecureSocketType _sockettype) : syncedConfig(_syncedConfig), sockettype(_sockettype)
{
Owned<const IPropertyTree> config;
if (syncedConfig)
{
configVersion = syncedConfig->getVersion();
config.setown(syncedConfig->getTree());
}
createNewContext(config);
}

ISecureSocket* createSecureSocket(ISocket* sock, int loglevel, const char *fqdn)
{
CriticalBlock block(cs);
checkForUpdatedContext();
return new CSecureSocket(sock, m_ctx, m_verify, m_address_match, m_peers, loglevel, fqdn);
}

ISecureSocket* createSecureSocket(int sockfd, int loglevel, const char *fqdn)
{
CriticalBlock block(cs);
checkForUpdatedContext();
return new CSecureSocket(sockfd, m_ctx, m_verify, m_address_match, m_peers, loglevel, fqdn);
}
};
Expand Down Expand Up @@ -1939,14 +1978,12 @@ extern "C" {

SECURESOCKET_API ISecureSocketContext* createSecureSocketContext(SecureSocketType sockettype)
{
return new securesocket::CSecureSocketContext(nullptr, sockettype);
return new securesocket::CSecureSocketContext((ISyncedPropertyTree *)nullptr, sockettype);
}

SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSynced(const ISyncedPropertyTree * config, SecureSocketType sockettype)
{
//Temporary workaround - change the implementation of CSecureSocketContext to only take an ISyncedPropertyTree instead
Owned<const IPropertyTree> configTree(config ? config->getTree() : nullptr);
return new securesocket::CSecureSocketContext(configTree, sockettype);
return new securesocket::CSecureSocketContext(config, sockettype);
}


Expand Down

0 comments on commit d1682e4

Please sign in to comment.