MINOR: Add TLS ticket keys reference and use it in the listener struct

Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic <[email protected]>
dddrecall · May 16, 2015 · 146defa · 146defa
1 parent 449f952
commit 146defa
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 9 deletions.
diff --git a/include/types/listener.h b/include/types/listener.h
@@ -132,8 +132,7 @@ struct bind_conf {
 	int strict_sni;            /* refuse negotiation if sni doesn't match a certificate */
 	struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */
 	struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards sorted by name */
-	struct tls_sess_key *tls_ticket_keys; /* TLS ticket keys */
-	int tls_ticket_enc_index;  /* array index of the key to use for encryption */
+	struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
 #endif
 	int is_ssl;                /* SSL is required for these listeners */
 	unsigned long bind_proc;   /* bitmask of processes allowed to use these listeners */

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
@@ -38,4 +38,12 @@ struct tls_sess_key {
 	unsigned char hmac_key[16];
 } __attribute__((packed));
 
+struct tls_keys_ref {
+	struct list list; /* Used to chain refs. */
+	char *filename;
+	int unique_id; /* Each pattern reference have unique id. */
+	struct tls_sess_key *tlskeys;
+	int tls_ticket_enc_index;
+};
+
 #endif /* _TYPES_SSL_SOCK_H */
diff --git a/src/cfgparse.c b/src/cfgparse.c
@@ -7996,7 +7996,11 @@ int check_config_validity()
 			free(bind_conf->ciphers);
 			free(bind_conf->ecdhe);
 			free(bind_conf->crl_file);
-			free(bind_conf->tls_ticket_keys);
+			if(bind_conf->keys_ref) {
+				free(bind_conf->keys_ref->filename);
+				free(bind_conf->keys_ref->tlskeys);
+				free(bind_conf->keys_ref);
+			}
 #endif /* USE_OPENSSL */
 		}
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
@@ -406,8 +406,8 @@ static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned
 	int i;
 
 	conn = (struct connection *)SSL_get_app_data(s);
-	keys = objt_listener(conn->target)->bind_conf->tls_ticket_keys;
-	head = objt_listener(conn->target)->bind_conf->tls_ticket_enc_index;
+	keys = objt_listener(conn->target)->bind_conf->keys_ref->tlskeys;
+	head = objt_listener(conn->target)->bind_conf->keys_ref->tls_ticket_enc_index;
 
 	if (enc) {
 		memcpy(key_name, keys[head].name, 16);
@@ -1783,7 +1783,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 	}
 
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
-	if(bind_conf->tls_ticket_keys) {
+	if(bind_conf->keys_ref) {
 		if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
 			Alert("Proxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
 				curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
@@ -4332,21 +4332,25 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 	FILE *f;
 	int i = 0;
 	char thisline[LINESIZE];
+	struct tls_keys_ref *keys_ref;
 
 	if (!*args[cur_arg + 1]) {
 		if (err)
 			memprintf(err, "'%s' : missing TLS ticket keys file path", args[cur_arg]);
 		return ERR_ALERT | ERR_FATAL;
 	}
 
-	conf->tls_ticket_keys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
+	keys_ref = malloc(sizeof(struct tls_keys_ref));
+	keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
 
 	if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
 		if (err)
 			memprintf(err, "'%s' : unable to load ssl tickets keys file", args[cur_arg+1]);
 		return ERR_ALERT | ERR_FATAL;
 	}
 
+	keys_ref->filename = strdup(args[cur_arg + 1]);
+
 	while (fgets(thisline, sizeof(thisline), f) != NULL) {
 		int len = strlen(thisline);
 		/* Strip newline characters from the end */
@@ -4356,7 +4360,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 		if(thisline[len - 1] == '\r')
 			thisline[--len] = 0;
 
-		if (base64dec(thisline, len, (char *) (conf->tls_ticket_keys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
+		if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
 			if (err)
 				memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
 			return ERR_ALERT | ERR_FATAL;
@@ -4374,7 +4378,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 
 	/* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
 	i-=2;
-	conf->tls_ticket_enc_index = i < 0 ? 0 : i;
+	keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+	conf->keys_ref = keys_ref;
 
 	return 0;
 #else