From 2752b602c0e7d7b2aa8f5117fa1d2c536005a400 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Fri, 8 Dec 2017 15:34:44 +0100 Subject: [PATCH] secgsi: revert part of the patch w/ new sutcache Use stack for proper cleaning of invalidated CRLs and CAs. Possible fix for #631. --- src/XrdSecgsi/XrdSecProtocolgsi.cc | 23 ++++++++++++++------- src/XrdSecgsi/XrdSecProtocolgsi.hh | 32 +++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 8 deletions(-) diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc index 7b3ebedb9bd..eab40af561d 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.cc +++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc @@ -180,6 +180,10 @@ XrdSutCache XrdSecProtocolgsi::cacheAuthzFun; // Entities filled by AuthzFun (d // Services XrdOucGMap *XrdSecProtocolgsi::servGMap = 0; // Grid map service // +// CA and CRL stacks +GSIStack XrdSecProtocolgsi::stackCA; // Stack of CA in use +GSIStack XrdSecProtocolgsi::stackCRL; // Stack of CRL in use +// // GMAP control vars time_t XrdSecProtocolgsi::lastGMAPCheck = -1; // Time of last check XrdSysMutex XrdSecProtocolgsi::mutexGMAP; // Mutex to control GMAP reloads @@ -4271,8 +4275,8 @@ int XrdSecProtocolgsi::GetCA(const char *cahash, // If invalid we fail if (cent->status == kCE_inactive) { // Cleanup and remove existing invalid entries - if (chain) delete chain; - if (crl) delete crl; + if (chain) stackCA.Del(chain); + if (crl) stackCRL.Del(crl); PRINT("unable to get a valid entry from cache for " << tag); return -1; } @@ -4280,17 +4284,20 @@ int XrdSecProtocolgsi::GetCA(const char *cahash, // Check if we are done if (rdlock) { // Save chain - chain = (X509Chain *)(cent->buf1.buf); if (hs) hs->Chain = chain; + stackCA.Add(chain); // Save crl - if (crl && hs) hs->Crl = crl; - // Done + if (crl) { + if (hs) hs->Crl = crl; + // Add to the stack for proper cleaning of invalidated CRLs + stackCRL.Add(crl); + } return 0; } // Cleanup and remove existing invalid entries - if (chain) delete chain; - if (crl) delete crl; + if (chain) stackCA.Del(chain); + if (crl) stackCRL.Del(crl); chain = 0; crl = 0; @@ -4344,9 +4351,11 @@ int XrdSecProtocolgsi::GetCA(const char *cahash, // Add to the cache cent->buf1.buf = (char *)(chain); cent->buf1.len = 0; // Just a flag + stackCA.Add(chain); if (crl) { cent->buf2.buf = (char *)(crl); cent->buf2.len = 0; // Just a flag + stackCRL.Add(crl); } cent->mtime = timestamp; cent->status = kCE_ok; diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.hh b/src/XrdSecgsi/XrdSecProtocolgsi.hh index cc139b9d4e4..05b9ce46e6c 100644 --- a/src/XrdSecgsi/XrdSecProtocolgsi.hh +++ b/src/XrdSecgsi/XrdSecProtocolgsi.hh @@ -234,6 +234,27 @@ typedef struct { int bits; } ProxyIn_t; +template +class GSIStack { +public: + void Add(T *t) { + char k[40]; snprintf(k, 40, "%p", t); + mtx.Lock(); + if (!stack.Find(k)) stack.Add(k, t, 0, Hash_count); // We need an additional count + stack.Add(k, t, 0, Hash_count); + mtx.UnLock(); + } + void Del(T *t) { + char k[40]; snprintf(k, 40, "%p", t); + mtx.Lock(); + if (stack.Find(k)) stack.Del(k, Hash_count); + mtx.UnLock(); + } +private: + XrdSysMutex mtx; + XrdOucHash stack; +}; + /******************************************************************************/ /* X r d S e c P r o t o c o l g s i C l a s s */ /******************************************************************************/ @@ -338,6 +359,10 @@ private: // Services static XrdOucGMap *servGMap; // Grid mapping service // + // CA and CRL stacks + static GSIStack stackCA; // Stack of CA in use + static GSIStack stackCRL; // Stack of CRL in use + // // GMAP control vars static time_t lastGMAPCheck; // time of last check on GMAP static XrdSysMutex mutexGMAP; // mutex to control GMAP reloads @@ -486,7 +511,12 @@ public: if (Chain) Chain->Cleanup(1); SafeDelete(Chain); } - Crl = 0; + if (Crl) { + // This decreases the counter and actually deletes the object only + // when no instance is using it + XrdSecProtocolgsi::stackCRL.Del(Crl); + Crl = 0; + } // The proxy chain is owned by the proxy cache; invalid proxies are // detected (and eventually removed) by QueryProxy PxyChain = 0;