MINOR: Add TLS ticket keys reference and use it in the listener struct
Within the listener struct we need to use a reference to the TLS
ticket keys which binds the actual keys with the filename. This will
make it possible to update the keys through the socket
Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
diff --git a/include/types/listener.h b/include/types/listener.h
index 142e845..895cd00 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -132,8 +132,7 @@
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */
- struct tls_sess_key *tls_ticket_keys; /* TLS ticket keys */
- int tls_ticket_enc_index; /* array index of the key to use for encryption */
+ struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
#endif
int is_ssl; /* SSL is required for these listeners */
unsigned long bind_proc; /* bitmask of processes allowed to use these listeners */
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index d769acd..4642124 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -38,4 +38,12 @@
unsigned char hmac_key[16];
} __attribute__((packed));
+struct tls_keys_ref {
+ struct list list; /* Used to chain refs. */
+ char *filename;
+ int unique_id; /* Each pattern reference have unique id. */
+ struct tls_sess_key *tlskeys;
+ int tls_ticket_enc_index;
+};
+
#endif /* _TYPES_SSL_SOCK_H */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 09b7247..b96a271 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -7996,7 +7996,11 @@
free(bind_conf->ciphers);
free(bind_conf->ecdhe);
free(bind_conf->crl_file);
- free(bind_conf->tls_ticket_keys);
+ if(bind_conf->keys_ref) {
+ free(bind_conf->keys_ref->filename);
+ free(bind_conf->keys_ref->tlskeys);
+ free(bind_conf->keys_ref);
+ }
#endif /* USE_OPENSSL */
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6cfdc73..145b8a9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -406,8 +406,8 @@
int i;
conn = (struct connection *)SSL_get_app_data(s);
- keys = objt_listener(conn->target)->bind_conf->tls_ticket_keys;
- head = objt_listener(conn->target)->bind_conf->tls_ticket_enc_index;
+ keys = objt_listener(conn->target)->bind_conf->keys_ref->tlskeys;
+ head = objt_listener(conn->target)->bind_conf->keys_ref->tls_ticket_enc_index;
if (enc) {
memcpy(key_name, keys[head].name, 16);
@@ -1783,7 +1783,7 @@
}
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
- if(bind_conf->tls_ticket_keys) {
+ if(bind_conf->keys_ref) {
if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
Alert("Proxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
@@ -4332,6 +4332,7 @@
FILE *f;
int i = 0;
char thisline[LINESIZE];
+ struct tls_keys_ref *keys_ref;
if (!*args[cur_arg + 1]) {
if (err)
@@ -4339,7 +4340,8 @@
return ERR_ALERT | ERR_FATAL;
}
- conf->tls_ticket_keys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
+ keys_ref = malloc(sizeof(struct tls_keys_ref));
+ keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
if (err)
@@ -4347,6 +4349,8 @@
return ERR_ALERT | ERR_FATAL;
}
+ keys_ref->filename = strdup(args[cur_arg + 1]);
+
while (fgets(thisline, sizeof(thisline), f) != NULL) {
int len = strlen(thisline);
/* Strip newline characters from the end */
@@ -4356,7 +4360,7 @@
if(thisline[len - 1] == '\r')
thisline[--len] = 0;
- if (base64dec(thisline, len, (char *) (conf->tls_ticket_keys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
+ if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
if (err)
memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
return ERR_ALERT | ERR_FATAL;
@@ -4374,7 +4378,8 @@
/* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
i-=2;
- conf->tls_ticket_enc_index = i < 0 ? 0 : i;
+ keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+ conf->keys_ref = keys_ref;
return 0;
#else