From: Grigorii Demidov Date: Tue, 22 May 2018 08:21:19 +0000 (+0200) Subject: daemon/bindings: import tls session ticket key salt from file X-Git-Tag: v2.4.0~24^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6988c7c2fbfb113e0630121c93411a90eda0bf4b;p=thirdparty%2Fknot-resolver.git daemon/bindings: import tls session ticket key salt from file --- diff --git a/daemon/bindings.c b/daemon/bindings.c index dee24804a..e1ca117e7 100644 --- a/daemon/bindings.c +++ b/daemon/bindings.c @@ -660,7 +660,7 @@ static int net_tls_sticket_key_salt_string(lua_State *L) { if (lua_gettop(L) != 1 || !lua_isstring(L, 1)) { - lua_pushstring(L, "net.tls_client_sticket takes one parameter: (\"salt string\")"); + lua_pushstring(L, "net.tls_sticket_salt_string takes one parameter: (\"salt string\")"); lua_error(L); } @@ -675,7 +675,7 @@ static int net_tls_sticket_key_salt_string(lua_State *L) if (salt_len) { net->tls_session_ticket_ctx = tls_session_ticket_ctx_create(net->loop, salt, salt_len); if (net->tls_session_ticket_ctx == NULL) { - lua_pushstring(L, "net.tls_client_sticket - can't create session ticket context"); + lua_pushstring(L, "net.tls_sticket_salt_string - can't create session ticket context"); lua_error(L); } } @@ -684,6 +684,75 @@ static int net_tls_sticket_key_salt_string(lua_State *L) return 1; } +/* Configure client-side TLS session ticket key generation. + * + * note Don't call from CLI when there are forked kresd instances as it + * will break synchronous ticket key regeneration. + * + * Expected parameters from lua + * file text file containing salt string. + * If file is empty, resolver won't use session tickets at server side + * and therefore won't support session resumption. + */ + +static int net_tls_sticket_key_salt_file(lua_State *L) +{ + + if (lua_gettop(L) != 1 || !lua_isstring(L, 1)) { + lua_pushstring(L, "net.tls_sticket_salt_file takes one parameter: (\"file name\")"); + lua_error(L); + } + + struct engine *engine = engine_luaget(L); + struct network *net = &engine->net; + + const char *file_name = lua_tostring(L, 1); + if (strlen(file_name) == 0) { + lua_pushstring(L, "net.tls_sticket_salt_file - empty file name"); + lua_error(L); + } + + FILE *fp = fopen(file_name, "r"); + if (fp == NULL) { + lua_pushstring(L, "net.tls_sticket_salt_file - can't open file '"); + lua_pushstring(L, file_name); + lua_pushstring(L, "' ("); + lua_pushstring(L, strerror(errno)); + lua_pushstring(L, ")"); + lua_concat(L, 5); + lua_error(L); + } + + char *salt = NULL; + size_t salt_buf_len = 0; + /* getline() also reads newline characters, if any. */ + ssize_t salt_len = getline(&salt, &salt_buf_len, fp); + if (salt_len < 0) { + lua_pushstring(L, "net.tls_sticket_salt_file - error reading from '"); + lua_pushstring(L, file_name); + lua_pushstring(L, "' ("); + lua_pushstring(L, strerror(errno)); + lua_pushstring(L, ")"); + lua_concat(L, 5); + lua_error(L); + } + if (net->tls_session_ticket_ctx != NULL) { + tls_session_ticket_ctx_destroy(net->tls_session_ticket_ctx); + net->tls_session_ticket_ctx = NULL; + } + if (salt_len > 0) { + net->tls_session_ticket_ctx = tls_session_ticket_ctx_create(net->loop, salt, salt_len); + if (net->tls_session_ticket_ctx == NULL) { + lua_pushstring(L, "net.tls_sticket_salt_file - can't create session ticket context"); + lua_error(L); + } + } + free(salt); + fclose(fp); + lua_pushboolean(L, true); + return 1; +} + static int net_outgoing(lua_State *L, int family) { struct worker_ctx *worker = wrk_luaget(L); @@ -755,6 +824,7 @@ int lib_net(lua_State *L) { "tls_client", net_tls_client }, { "tls_padding", net_tls_padding }, { "tls_sticket_salt_string", net_tls_sticket_key_salt_string }, + { "tls_sticket_salt_file", net_tls_sticket_key_salt_file }, { "outgoing_v4", net_outgoing_v4 }, { "outgoing_v6", net_outgoing_v6 }, { NULL, NULL }