MINOR: Add TLS ticket keys reference and use it in the listener struct

Within the listener struct we need to use a reference to the TLS
ticket keys which binds the actual keys with the filename. This will
make it possible to update the keys through the socket

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>

diff --git a/include/types/listener.h b/include/types/listener.h
index 142e845695554c08748da94b590118b87305d037..895cd00e0991adc66b7c437e646f185527bb0a7e 100644 (file)
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -132,8 +132,7 @@ struct bind_conf {
        int strict_sni;            /* refuse negotiation if sni doesn't match a certificate */
        struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */
        struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards sorted by name */
-       struct tls_sess_key *tls_ticket_keys; /* TLS ticket keys */
-       int tls_ticket_enc_index;  /* array index of the key to use for encryption */
+       struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
 #endif
        int is_ssl;                /* SSL is required for these listeners */
        unsigned long bind_proc;   /* bitmask of processes allowed to use these listeners */

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index d769acd025267965e04a39728558cd1f552d21f0..46421249a9d2c69df044843bb6888e9789c71356 100644 (file)
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -38,4 +38,12 @@ struct tls_sess_key {
        unsigned char hmac_key[16];
 } __attribute__((packed));
 
+struct tls_keys_ref {
+       struct list list; /* Used to chain refs. */
+       char *filename;
+       int unique_id; /* Each pattern reference have unique id. */
+       struct tls_sess_key *tlskeys;
+       int tls_ticket_enc_index;
+};
+
 #endif /* _TYPES_SSL_SOCK_H */

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 09b7247e9988e71b1506d346f5e50ea150f4fb10..b96a27199bf41fdad85fb4a3e0bc755dd3d500ee 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -7996,7 +7996,11 @@ out_uri_auth_compat:
                        free(bind_conf->ciphers);
                        free(bind_conf->ecdhe);
                        free(bind_conf->crl_file);
-                       free(bind_conf->tls_ticket_keys);
+                       if(bind_conf->keys_ref) {
+                               free(bind_conf->keys_ref->filename);
+                               free(bind_conf->keys_ref->tlskeys);
+                               free(bind_conf->keys_ref);
+                       }
 #endif /* USE_OPENSSL */
                }
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6cfdc73f1d831fccd34bbf3c97b037497a1ba366..145b8a95c9ba43600f3e1be32ef492e4eb8231d2 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -406,8 +406,8 @@ static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned
        int i;
 
        conn = (struct connection *)SSL_get_app_data(s);
-       keys = objt_listener(conn->target)->bind_conf->tls_ticket_keys;
-       head = objt_listener(conn->target)->bind_conf->tls_ticket_enc_index;
+       keys = objt_listener(conn->target)->bind_conf->keys_ref->tlskeys;
+       head = objt_listener(conn->target)->bind_conf->keys_ref->tls_ticket_enc_index;
 
        if (enc) {
                memcpy(key_name, keys[head].name, 16);
@@ -1783,7 +1783,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
        }
 
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
-       if(bind_conf->tls_ticket_keys) {
+       if(bind_conf->keys_ref) {
                if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
                        Alert("Proxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
                                curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
@@ -4332,6 +4332,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
        FILE *f;
        int i = 0;
        char thisline[LINESIZE];
+       struct tls_keys_ref *keys_ref;
 
        if (!*args[cur_arg + 1]) {
                if (err)
@@ -4339,7 +4340,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
                return ERR_ALERT | ERR_FATAL;
        }
 
-       conf->tls_ticket_keys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
+       keys_ref = malloc(sizeof(struct tls_keys_ref));
+       keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
 
        if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
                if (err)
@@ -4347,6 +4349,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
                return ERR_ALERT | ERR_FATAL;
        }
 
+       keys_ref->filename = strdup(args[cur_arg + 1]);
+
        while (fgets(thisline, sizeof(thisline), f) != NULL) {
                int len = strlen(thisline);
                /* Strip newline characters from the end */
@@ -4356,7 +4360,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
                if(thisline[len - 1] == '\r')
                        thisline[--len] = 0;
 
-               if (base64dec(thisline, len, (char *) (conf->tls_ticket_keys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
+               if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
                        if (err)
                                memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
                        return ERR_ALERT | ERR_FATAL;
@@ -4374,7 +4378,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 
        /* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
        i-=2;
-       conf->tls_ticket_enc_index = i < 0 ? 0 : i;
+       keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+       conf->keys_ref = keys_ref;
 
        return 0;
 #else