From cc79b003cb3863e3742cbbd60913a539be684873 Mon Sep 17 00:00:00 2001 From: Pradeep Jindal Date: Thu, 20 Aug 2015 18:25:17 +0530 Subject: [PATCH] BUG/MINOR: ssl: TLS Ticket Key rotation broken via socket command It seems haproxy was doing wrong pointer arithmetic to update the ticket ring correctly. --- src/dumpstats.c | 4 ++-- src/ssl_sock.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/dumpstats.c b/src/dumpstats.c index a779f4783d..b97318bebf 100644 --- a/src/dumpstats.c +++ b/src/dumpstats.c @@ -1933,8 +1933,8 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line) return 1; } - memcpy(appctx->ctx.tlskeys.ref->tlskeys + 2 % TLS_TICKETS_NO, trash.str, trash.len); - appctx->ctx.tlskeys.ref->tls_ticket_enc_index = appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 1 % TLS_TICKETS_NO; + memcpy(appctx->ctx.tlskeys.ref->tlskeys + ((appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO), trash.str, trash.len); + appctx->ctx.tlskeys.ref->tls_ticket_enc_index = (appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO; appctx->ctx.cli.msg = "TLS ticket key updated!"; appctx->st0 = STAT_CLI_PRINT; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 2b91eedbe8..85ffd5fb77 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -500,8 +500,8 @@ int ssl_sock_update_tlskey(char *filename, struct chunk *tlskey, char **err) { return 1; } - memcpy((char *) (ref->tlskeys + 2 % TLS_TICKETS_NO), tlskey->str, tlskey->len); - ref->tls_ticket_enc_index = ref->tls_ticket_enc_index + 1 % TLS_TICKETS_NO; + memcpy((char *) (ref->tlskeys + ((ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO)), tlskey->str, tlskey->len); + ref->tls_ticket_enc_index = (ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO; return 0; } -- 2.47.2