MINOR: Add TLS ticket keys reference and use it in the listener struct

Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2026-02-03 16:31:08 +01:00 · 2015-05-09 08:46:00 +02:00 · 2015-05-09 08:46:00 +02:00 · 146defaff4
commit 146defaff4
parent 449f952cb3
4 changed files with 25 additions and 9 deletions
--- a/include/types/listener.h
+++ b/include/types/listener.h
@ -132,8 +132,7 @@ struct bind_conf {
 	int strict_sni;            /* refuse negotiation if sni doesn't match a certificate */
 	struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */
 	struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards sorted by name */
-	struct tls_sess_key *tls_ticket_keys; /* TLS ticket keys */
-	int tls_ticket_enc_index;  /* array index of the key to use for encryption */
+	struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
 #endif
 	int is_ssl;                /* SSL is required for these listeners */
 	unsigned long bind_proc;   /* bitmask of processes allowed to use these listeners */
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@ -38,4 +38,12 @@ struct tls_sess_key {
 	unsigned char hmac_key[16];
 } __attribute__((packed));

+struct tls_keys_ref {
+	struct list list; /* Used to chain refs. */
+	char *filename;
+	int unique_id; /* Each pattern reference have unique id. */
+	struct tls_sess_key *tlskeys;
+	int tls_ticket_enc_index;
+};
+
 #endif /* _TYPES_SSL_SOCK_H */
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -7996,7 +7996,11 @@ out_uri_auth_compat:
 			free(bind_conf->ciphers);
 			free(bind_conf->ecdhe);
 			free(bind_conf->crl_file);
-			free(bind_conf->tls_ticket_keys);
+			if(bind_conf->keys_ref) {
+				free(bind_conf->keys_ref->filename);
+				free(bind_conf->keys_ref->tlskeys);
+				free(bind_conf->keys_ref);
+			}
 #endif /* USE_OPENSSL */
 		}

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -406,8 +406,8 @@ static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned
 	int i;

 	conn = (struct connection *)SSL_get_app_data(s);
-	keys = objt_listener(conn->target)->bind_conf->tls_ticket_keys;
-	head = objt_listener(conn->target)->bind_conf->tls_ticket_enc_index;
+	keys = objt_listener(conn->target)->bind_conf->keys_ref->tlskeys;
+	head = objt_listener(conn->target)->bind_conf->keys_ref->tls_ticket_enc_index;

 	if (enc) {
 		memcpy(key_name, keys[head].name, 16);
@ -1783,7 +1783,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 	}

 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
-	if(bind_conf->tls_ticket_keys) {
+	if(bind_conf->keys_ref) {
 		if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
 			Alert("Proxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
 				curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
@ -4332,6 +4332,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 	FILE *f;
 	int i = 0;
 	char thisline[LINESIZE];
+	struct tls_keys_ref *keys_ref;

 	if (!*args[cur_arg + 1]) {
 		if (err)
@ -4339,7 +4340,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 		return ERR_ALERT | ERR_FATAL;
 	}

-	conf->tls_ticket_keys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));
+	keys_ref = malloc(sizeof(struct tls_keys_ref));
+	keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key));

 	if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
 		if (err)
@ -4347,6 +4349,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 		return ERR_ALERT | ERR_FATAL;
 	}

+	keys_ref->filename = strdup(args[cur_arg + 1]);
+
 	while (fgets(thisline, sizeof(thisline), f) != NULL) {
 		int len = strlen(thisline);
 		/* Strip newline characters from the end */
@ -4356,7 +4360,7 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
 		if(thisline[len - 1] == '\r')
 			thisline[--len] = 0;

-		if (base64dec(thisline, len, (char *) (conf->tls_ticket_keys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
+		if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
 			if (err)
 				memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
 			return ERR_ALERT | ERR_FATAL;
@ -4374,7 +4378,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px

 	/* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
 	i-=2;
-	conf->tls_ticket_enc_index = i < 0 ? 0 : i;
+	keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+	conf->keys_ref = keys_ref;

 	return 0;
 #else