nghttpx: Rename --tls-ticket-cipher as --tls-ticket-key-cipher

gennghttpxfun.py

@@ -91,7 +91,7 @@ OPTIONS = [
     "header-field-buffer",
     "max-header-fields",
     "include",
-    "tls-ticket-cipher",
+    "tls-ticket-key-cipher",
     "host-rewrite",
     "tls-session-cache-memcached",
     "tls-ticket-key-memcached",

src/shrpx.cc

@@ -608,7 +608,7 @@ void graceful_shutdown_signal_cb(struct ev_loop *loop, ev_signal *w,
 
 namespace {
 int generate_ticket_key(TicketKey &ticket_key) {
-  ticket_key.cipher = get_config()->tls_ticket_cipher;
+  ticket_key.cipher = get_config()->tls_ticket_key_cipher;
   ticket_key.hmac = EVP_sha256();
   ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);
 
@@ -738,11 +738,11 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
     size_t expectedlen;
     size_t enc_keylen;
     size_t hmac_keylen;
-    if (get_config()->tls_ticket_cipher == EVP_aes_128_cbc()) {
+    if (get_config()->tls_ticket_key_cipher == EVP_aes_128_cbc()) {
       expectedlen = 48;
       enc_keylen = 16;
       hmac_keylen = 16;
-    } else if (get_config()->tls_ticket_cipher == EVP_aes_256_cbc()) {
+    } else if (get_config()->tls_ticket_key_cipher == EVP_aes_256_cbc()) {
       expectedlen = 80;
       enc_keylen = 32;
       hmac_keylen = 32;
@@ -773,7 +773,7 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
         return;
       }
       auto key = TicketKey();
-      key.cipher = get_config()->tls_ticket_cipher;
+      key.cipher = get_config()->tls_ticket_key_cipher;
       key.hmac = EVP_sha256();
       key.hmac_keylen = EVP_MD_size(key.hmac);
 
@@ -874,18 +874,18 @@ int event_loop() {
     } else {
       bool auto_tls_ticket_key = true;
       if (!get_config()->tls_ticket_key_files.empty()) {
-        if (!get_config()->tls_ticket_cipher_given) {
+        if (!get_config()->tls_ticket_key_cipher_given) {
           LOG(WARN)
               << "It is strongly recommended to specify "
-                 "--tls-ticket-cipher=aes-128-cbc (or "
+                 "--tls-ticket-key-cipher=aes-128-cbc (or "
-                 "tls-ticket-cipher=aes-128-cbc in configuration file) "
+                 "tls-ticket-key-cipher=aes-128-cbc in configuration file) "
                  "when --tls-ticket-key-file is used for the smooth "
-                 "transition when the default value of --tls-ticket-cipher "
+                 "transition when the default value of --tls-ticket-key-cipher "
                  "becomes aes-256-cbc";
         }
         auto ticket_keys = read_tls_ticket_key_file(
-            get_config()->tls_ticket_key_files, get_config()->tls_ticket_cipher,
+            get_config()->tls_ticket_key_files,
-            EVP_sha256());
+            get_config()->tls_ticket_key_cipher, EVP_sha256());
         if (!ticket_keys) {
           LOG(WARN) << "Use internal session ticket key generator";
         } else {
@@ -1142,8 +1142,8 @@ void fill_default_config() {
   mod_config()->header_field_buffer = 64_k;
   mod_config()->max_header_fields = 100;
   mod_config()->downstream_addr_group_catch_all = 0;
-  mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
+  mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
-  mod_config()->tls_ticket_cipher_given = false;
+  mod_config()->tls_ticket_key_cipher_given = false;
   mod_config()->tls_session_timeout = std::chrono::hours(12);
   mod_config()->tls_ticket_key_memcached_max_retry = 3;
   mod_config()->tls_ticket_key_memcached_max_fail = 2;
@@ -1461,24 +1461,25 @@ SSL/TLS:
   --tls-ticket-key-file=<PATH>
               Path to file that contains  random data to construct TLS
               session ticket  parameters.  If aes-128-cbc is  given in
-              --tls-ticket-cipher,  the file  must contain  exactly 48
+              --tls-ticket-key-cipher, the  file must  contain exactly
-              bytes.  If aes-256-cbc  is given in --tls-ticket-cipher,
+              48    bytes.     If     aes-256-cbc    is    given    in
-              the file  must contain  exactly 80 bytes.   This options
+              --tls-ticket-key-cipher, the  file must  contain exactly
-              can  be  used  repeatedly  to  specify  multiple  ticket
+              80  bytes.   This  options  can be  used  repeatedly  to
-              parameters.  If several files  are given, only the first
+              specify  multiple ticket  parameters.  If  several files
-              key is used to encrypt  TLS session tickets.  Other keys
+              are given,  only the  first key is  used to  encrypt TLS
-              are accepted  but server  will issue new  session ticket
+              session  tickets.  Other  keys are  accepted but  server
-              with  first  key.   This allows  session  key  rotation.
+              will  issue new  session  ticket with  first key.   This
-              Please   note  that   key   rotation   does  not   occur
+              allows  session  key  rotation.  Please  note  that  key
-              automatically.   User should  rearrange files  or change
+              rotation  does  not  occur automatically.   User  should
-              options  values  and  restart  nghttpx  gracefully.   If
+              rearrange  files or  change options  values and  restart
-              opening or reading given file fails, all loaded keys are
+              nghttpx gracefully.   If opening  or reading  given file
-              discarded and it is treated as if none of this option is
+              fails, all loaded  keys are discarded and  it is treated
-              given.  If this option is not given or an error occurred
+              as if none  of this option is given.  If  this option is
-              while opening or reading a  file, key is generated every
+              not given or an error  occurred while opening or reading
-              1 hour internally and they are valid for 12 hours.  This
+              a file,  key is  generated every  1 hour  internally and
-              is  recommended if  ticket key  sharing between  nghttpx
+              they are  valid for  12 hours.   This is  recommended if
-              instances is not required.
+              ticket  key sharing  between  nghttpx  instances is  not
+              required.
   --tls-ticket-key-memcached=<HOST>,<PORT>
               Specify  address of  memcached server  to store  session
               cache.   This  enables  shared TLS  ticket  key  between
@@ -1507,7 +1508,7 @@ SSL/TLS:
               disabling TLS ticket until next scheduled key retrieval.
               Default: )" << get_config()->tls_ticket_key_memcached_max_fail
       << R"(
-  --tls-ticket-cipher=<TICKET_CIPHER>
+  --tls-ticket-key-cipher=<CIPHER>
               Specify cipher  to encrypt TLS session  ticket.  Specify
               either   aes-128-cbc   or  aes-256-cbc.    By   default,
               aes-128-cbc is used.
@@ -1885,7 +1886,7 @@ int main(int argc, char **argv) {
         {SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81},
         {SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82},
         {SHRPX_OPT_INCLUDE, required_argument, &flag, 83},
-        {SHRPX_OPT_TLS_TICKET_CIPHER, required_argument, &flag, 84},
+        {SHRPX_OPT_TLS_TICKET_KEY_CIPHER, required_argument, &flag, 84},
         {SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85},
         {SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED, required_argument, &flag, 86},
         {SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED, required_argument, &flag, 87},
@@ -2262,8 +2263,8 @@ int main(int argc, char **argv) {
         cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg);
         break;
       case 84:
-        // --tls-ticket-cipher
+        // --tls-ticket-key-cipher
-        cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_CIPHER, optarg);
+        cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_KEY_CIPHER, optarg);
         break;
       case 85:
         // --host-rewrite

src/shrpx_config.cc

@@ -704,7 +704,7 @@ enum {
   SHRPX_OPTID_SYSLOG_FACILITY,
   SHRPX_OPTID_TLS_PROTO_LIST,
   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
-  SHRPX_OPTID_TLS_TICKET_CIPHER,
+  SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
   SHRPX_OPTID_TLS_TICKET_KEY_FILE,
   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
@@ -1003,11 +1003,6 @@ int option_lookup_token(const char *name, size_t namelen) {
         return SHRPX_OPTID_WORKER_WRITE_RATE;
       }
       break;
-    case 'r':
-      if (util::strieq_l("tls-ticket-ciphe", name, 16)) {
-        return SHRPX_OPTID_TLS_TICKET_CIPHER;
-      }
-      break;
     case 's':
       if (util::strieq_l("max-header-field", name, 16)) {
         return SHRPX_OPTID_MAX_HEADER_FIELDS;
@@ -1094,6 +1089,11 @@ int option_lookup_token(const char *name, size_t namelen) {
         return SHRPX_OPTID_BACKEND_TLS_SNI_FIELD;
       }
       break;
+    case 'r':
+      if (util::strieq_l("tls-ticket-key-ciphe", name, 20)) {
+        return SHRPX_OPTID_TLS_TICKET_KEY_CIPHER;
+      }
+      break;
     case 't':
       if (util::strieq_l("backend-write-timeou", name, 20)) {
         return SHRPX_OPTID_BACKEND_WRITE_TIMEOUT;
@@ -1879,17 +1879,17 @@ int parse_config(const char *opt, const char *optarg,
 
     return 0;
   }
-  case SHRPX_OPTID_TLS_TICKET_CIPHER:
+  case SHRPX_OPTID_TLS_TICKET_KEY_CIPHER:
     if (util::strieq(optarg, "aes-128-cbc")) {
-      mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
+      mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
     } else if (util::strieq(optarg, "aes-256-cbc")) {
-      mod_config()->tls_ticket_cipher = EVP_aes_256_cbc();
+      mod_config()->tls_ticket_key_cipher = EVP_aes_256_cbc();
     } else {
       LOG(ERROR) << opt
                  << ": unsupported cipher for ticket encryption: " << optarg;
       return -1;
     }
-    mod_config()->tls_ticket_cipher_given = true;
+    mod_config()->tls_ticket_key_cipher_given = true;
 
     return 0;
   case SHRPX_OPTID_HOST_REWRITE:

src/shrpx_config.h

@@ -171,7 +171,7 @@ constexpr char SHRPX_OPT_NO_OCSP[] = "no-ocsp";
 constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer";
 constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields";
 constexpr char SHRPX_OPT_INCLUDE[] = "include";
-constexpr char SHRPX_OPT_TLS_TICKET_CIPHER[] = "tls-ticket-cipher";
+constexpr char SHRPX_OPT_TLS_TICKET_KEY_CIPHER[] = "tls-ticket-key-cipher";
 constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite";
 constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] =
     "tls-session-cache-memcached";
@@ -320,7 +320,7 @@ struct Config {
   nghttp2_session_callbacks *http2_downstream_callbacks;
   nghttp2_option *http2_option;
   nghttp2_option *http2_client_option;
-  const EVP_CIPHER *tls_ticket_cipher;
+  const EVP_CIPHER *tls_ticket_key_cipher;
   const char *server_name;
   char **argv;
   char *cwd;
@@ -403,8 +403,8 @@ struct Config {
   // true if host contains UNIX domain socket path
   bool host_unix;
   bool no_ocsp;
-  // true if --tls-ticket-cipher is used
+  // true if --tls-ticket-key-cipher is used
-  bool tls_ticket_cipher_given;
+  bool tls_ticket_key_cipher_given;
 };
 
 const Config *get_config();

src/shrpx_ssl.cc

@@ -338,7 +338,7 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
 
     std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
 
-    EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_cipher, nullptr,
+    EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_key_cipher, nullptr,
                        key.data.enc_key.data(), iv);
     HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
                  nullptr);