Within the listener struct we need to use a reference to the TLS
ticket keys which binds the actual keys with the filename. This will
make it possible to update the keys through the socket
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
include/types/listener.h | 3 +--
include/types/ssl_sock.h | 8 ++++++++
src/cfgparse.c | 6 +++++-
src/ssl_sock.c | 17 +++++++++++------
4 files changed, 25 insertions(+), 9 deletions(-)
diff --git a/include/types/listener.h b/include/types/listener.h
index 142e845..895cd00 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -132,8 +132,7 @@ struct bind_conf {
int strict_sni; /* refuse negotiation if sni doesn't match a
certificate */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs
full-names sorted by name */
struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards
sorted by name */
- struct tls_sess_key *tls_ticket_keys; /* TLS ticket keys */
- int tls_ticket_enc_index; /* array index of the key to use for
encryption */
+ struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
#endif
int is_ssl; /* SSL is required for these listeners */
unsigned long bind_proc; /* bitmask of processes allowed to use these
listeners */
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index d769acd..4642124 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -38,4 +38,12 @@ struct tls_sess_key {
unsigned char hmac_key[16];
} __attribute__((packed));
+struct tls_keys_ref {
+ struct list list; /* Used to chain refs. */
+ char *filename;
+ int unique_id; /* Each pattern reference have unique id. */
+ struct tls_sess_key *tlskeys;
+ int tls_ticket_enc_index;
+};
+
#endif /* _TYPES_SSL_SOCK_H */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 8578bc5..e543dd8 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -7762,7 +7762,11 @@ out_uri_auth_compat:
free(bind_conf->ciphers);
free(bind_conf->ecdhe);
free(bind_conf->crl_file);
- free(bind_conf->tls_ticket_keys);
+ if(bind_conf->keys_ref) {
+ free(bind_conf->keys_ref->filename);
+ free(bind_conf->keys_ref->tlskeys);
+ free(bind_conf->keys_ref);
+ }
#endif /* USE_OPENSSL */
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index eb1d88c..2029298 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -406,8 +406,8 @@ static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char
key_name[16], unsigned
int i;
conn = (struct connection *)SSL_get_app_data(s);
- keys = objt_listener(conn->target)->bind_conf->tls_ticket_keys;
- head = objt_listener(conn->target)->bind_conf->tls_ticket_enc_index;
+ keys = objt_listener(conn->target)->bind_conf->keys_ref->tlskeys;
+ head =
objt_listener(conn->target)->bind_conf->keys_ref->tls_ticket_enc_index;
if (enc) {
memcpy(key_name, keys[head].name, 16);
@@ -1783,7 +1783,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf,
SSL_CTX *ctx, struct proxy
}
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
- if(bind_conf->tls_ticket_keys) {
+ if(bind_conf->keys_ref) {
if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx,
ssl_tlsext_ticket_key_cb)) {
Alert("Proxy '%s': unable to set callback for TLS
ticket validation for bind '%s' at [%s:%d].\n",
curproxy->id, bind_conf->arg, bind_conf->file,
bind_conf->line);
@@ -4359,6 +4359,7 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
FILE *f;
int i = 0;
char thisline[LINESIZE];
+ struct tls_keys_ref *keys_ref;
if (!*args[cur_arg + 1]) {
if (err)
@@ -4366,7 +4367,8 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
return ERR_ALERT | ERR_FATAL;
}
- conf->tls_ticket_keys = malloc(TLS_TICKETS_NO * sizeof(struct
tls_sess_key));
+ keys_ref = malloc(sizeof(struct tls_keys_ref));
+ keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct
tls_sess_key));
if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
if (err)
@@ -4374,6 +4376,8 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
return ERR_ALERT | ERR_FATAL;
}
+ keys_ref->filename = strdup(args[cur_arg + 1]);
+
while (fgets(thisline, sizeof(thisline), f) != NULL) {
int len = strlen(thisline);
/* Strip newline characters from the end */
@@ -4383,7 +4387,7 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
if(thisline[len - 1] == '\r')
thisline[--len] = 0;
- if (base64dec(thisline, len, (char *) (conf->tls_ticket_keys +
i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct
tls_sess_key)) {
+ if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i %
TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
if (err)
memprintf(err, "'%s' : unable to decode base64
key on line %d", args[cur_arg+1], i + 1);
return ERR_ALERT | ERR_FATAL;
@@ -4401,7 +4405,8 @@ static int bind_parse_tls_ticket_keys(char **args, int
cur_arg, struct proxy *px
/* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
i-=2;
- conf->tls_ticket_enc_index = i < 0 ? 0 : i;
+ keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+ conf->keys_ref = keys_ref;
return 0;
#else
--
2.1.4
