Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket
Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- include/types/listener.h | 3 +-- include/types/ssl_sock.h | 8 ++++++++ src/cfgparse.c | 6 +++++- src/ssl_sock.c | 17 +++++++++++------ 4 files changed, 25 insertions(+), 9 deletions(-) diff --git a/include/types/listener.h b/include/types/listener.h index 142e845..895cd00 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -132,8 +132,7 @@ struct bind_conf { int strict_sni; /* refuse negotiation if sni doesn't match a certificate */ struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */ struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */ - struct tls_sess_key *tls_ticket_keys; /* TLS ticket keys */ - int tls_ticket_enc_index; /* array index of the key to use for encryption */ + struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */ #endif int is_ssl; /* SSL is required for these listeners */ unsigned long bind_proc; /* bitmask of processes allowed to use these listeners */ diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h index d769acd..4642124 100644 --- a/include/types/ssl_sock.h +++ b/include/types/ssl_sock.h @@ -38,4 +38,12 @@ struct tls_sess_key { unsigned char hmac_key[16]; } __attribute__((packed)); +struct tls_keys_ref { + struct list list; /* Used to chain refs. */ + char *filename; + int unique_id; /* Each pattern reference have unique id. */ + struct tls_sess_key *tlskeys; + int tls_ticket_enc_index; +}; + #endif /* _TYPES_SSL_SOCK_H */ diff --git a/src/cfgparse.c b/src/cfgparse.c index 8578bc5..e543dd8 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -7762,7 +7762,11 @@ out_uri_auth_compat: free(bind_conf->ciphers); free(bind_conf->ecdhe); free(bind_conf->crl_file); - free(bind_conf->tls_ticket_keys); + if(bind_conf->keys_ref) { + free(bind_conf->keys_ref->filename); + free(bind_conf->keys_ref->tlskeys); + free(bind_conf->keys_ref); + } #endif /* USE_OPENSSL */ } diff --git a/src/ssl_sock.c b/src/ssl_sock.c index eb1d88c..2029298 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -406,8 +406,8 @@ static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned int i; conn = (struct connection *)SSL_get_app_data(s); - keys = objt_listener(conn->target)->bind_conf->tls_ticket_keys; - head = objt_listener(conn->target)->bind_conf->tls_ticket_enc_index; + keys = objt_listener(conn->target)->bind_conf->keys_ref->tlskeys; + head = objt_listener(conn->target)->bind_conf->keys_ref->tls_ticket_enc_index; if (enc) { memcpy(key_name, keys[head].name, 16); @@ -1783,7 +1783,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy } #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) - if(bind_conf->tls_ticket_keys) { + if(bind_conf->keys_ref) { if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) { Alert("Proxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line); @@ -4359,6 +4359,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px FILE *f; int i = 0; char thisline[LINESIZE]; + struct tls_keys_ref *keys_ref; if (!*args[cur_arg + 1]) { if (err) @@ -4366,7 +4367,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px return ERR_ALERT | ERR_FATAL; } - conf->tls_ticket_keys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key)); + keys_ref = malloc(sizeof(struct tls_keys_ref)); + keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key)); if ((f = fopen(args[cur_arg + 1], "r")) == NULL) { if (err) @@ -4374,6 +4376,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px return ERR_ALERT | ERR_FATAL; } + keys_ref->filename = strdup(args[cur_arg + 1]); + while (fgets(thisline, sizeof(thisline), f) != NULL) { int len = strlen(thisline); /* Strip newline characters from the end */ @@ -4383,7 +4387,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px if(thisline[len - 1] == '\r') thisline[--len] = 0; - if (base64dec(thisline, len, (char *) (conf->tls_ticket_keys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) { + if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) { if (err) memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1); return ERR_ALERT | ERR_FATAL; @@ -4401,7 +4405,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px /* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */ i-=2; - conf->tls_ticket_enc_index = i < 0 ? 0 : i; + keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i; + conf->keys_ref = keys_ref; return 0; #else -- 2.1.4