nghttpx: Rename --tls-ticket-cipher as --tls-ticket-key-cipher

This commit is contained in:
Tatsuhiro Tsujikawa 2015-07-28 23:49:37 +09:00
parent 80d96590c5
commit a1288a5826
5 changed files with 51 additions and 50 deletions

View File

@ -91,7 +91,7 @@ OPTIONS = [
"header-field-buffer", "header-field-buffer",
"max-header-fields", "max-header-fields",
"include", "include",
"tls-ticket-cipher", "tls-ticket-key-cipher",
"host-rewrite", "host-rewrite",
"tls-session-cache-memcached", "tls-session-cache-memcached",
"tls-ticket-key-memcached", "tls-ticket-key-memcached",

View File

@ -608,7 +608,7 @@ void graceful_shutdown_signal_cb(struct ev_loop *loop, ev_signal *w,
namespace { namespace {
int generate_ticket_key(TicketKey &ticket_key) { int generate_ticket_key(TicketKey &ticket_key) {
ticket_key.cipher = get_config()->tls_ticket_cipher; ticket_key.cipher = get_config()->tls_ticket_key_cipher;
ticket_key.hmac = EVP_sha256(); ticket_key.hmac = EVP_sha256();
ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac); ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);
@ -738,11 +738,11 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
size_t expectedlen; size_t expectedlen;
size_t enc_keylen; size_t enc_keylen;
size_t hmac_keylen; size_t hmac_keylen;
if (get_config()->tls_ticket_cipher == EVP_aes_128_cbc()) { if (get_config()->tls_ticket_key_cipher == EVP_aes_128_cbc()) {
expectedlen = 48; expectedlen = 48;
enc_keylen = 16; enc_keylen = 16;
hmac_keylen = 16; hmac_keylen = 16;
} else if (get_config()->tls_ticket_cipher == EVP_aes_256_cbc()) { } else if (get_config()->tls_ticket_key_cipher == EVP_aes_256_cbc()) {
expectedlen = 80; expectedlen = 80;
enc_keylen = 32; enc_keylen = 32;
hmac_keylen = 32; hmac_keylen = 32;
@ -773,7 +773,7 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
return; return;
} }
auto key = TicketKey(); auto key = TicketKey();
key.cipher = get_config()->tls_ticket_cipher; key.cipher = get_config()->tls_ticket_key_cipher;
key.hmac = EVP_sha256(); key.hmac = EVP_sha256();
key.hmac_keylen = EVP_MD_size(key.hmac); key.hmac_keylen = EVP_MD_size(key.hmac);
@ -874,18 +874,18 @@ int event_loop() {
} else { } else {
bool auto_tls_ticket_key = true; bool auto_tls_ticket_key = true;
if (!get_config()->tls_ticket_key_files.empty()) { if (!get_config()->tls_ticket_key_files.empty()) {
if (!get_config()->tls_ticket_cipher_given) { if (!get_config()->tls_ticket_key_cipher_given) {
LOG(WARN) LOG(WARN)
<< "It is strongly recommended to specify " << "It is strongly recommended to specify "
"--tls-ticket-cipher=aes-128-cbc (or " "--tls-ticket-key-cipher=aes-128-cbc (or "
"tls-ticket-cipher=aes-128-cbc in configuration file) " "tls-ticket-key-cipher=aes-128-cbc in configuration file) "
"when --tls-ticket-key-file is used for the smooth " "when --tls-ticket-key-file is used for the smooth "
"transition when the default value of --tls-ticket-cipher " "transition when the default value of --tls-ticket-key-cipher "
"becomes aes-256-cbc"; "becomes aes-256-cbc";
} }
auto ticket_keys = read_tls_ticket_key_file( auto ticket_keys = read_tls_ticket_key_file(
get_config()->tls_ticket_key_files, get_config()->tls_ticket_cipher, get_config()->tls_ticket_key_files,
EVP_sha256()); get_config()->tls_ticket_key_cipher, EVP_sha256());
if (!ticket_keys) { if (!ticket_keys) {
LOG(WARN) << "Use internal session ticket key generator"; LOG(WARN) << "Use internal session ticket key generator";
} else { } else {
@ -1142,8 +1142,8 @@ void fill_default_config() {
mod_config()->header_field_buffer = 64_k; mod_config()->header_field_buffer = 64_k;
mod_config()->max_header_fields = 100; mod_config()->max_header_fields = 100;
mod_config()->downstream_addr_group_catch_all = 0; mod_config()->downstream_addr_group_catch_all = 0;
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc(); mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
mod_config()->tls_ticket_cipher_given = false; mod_config()->tls_ticket_key_cipher_given = false;
mod_config()->tls_session_timeout = std::chrono::hours(12); mod_config()->tls_session_timeout = std::chrono::hours(12);
mod_config()->tls_ticket_key_memcached_max_retry = 3; mod_config()->tls_ticket_key_memcached_max_retry = 3;
mod_config()->tls_ticket_key_memcached_max_fail = 2; mod_config()->tls_ticket_key_memcached_max_fail = 2;
@ -1461,24 +1461,25 @@ SSL/TLS:
--tls-ticket-key-file=<PATH> --tls-ticket-key-file=<PATH>
Path to file that contains random data to construct TLS Path to file that contains random data to construct TLS
session ticket parameters. If aes-128-cbc is given in session ticket parameters. If aes-128-cbc is given in
--tls-ticket-cipher, the file must contain exactly 48 --tls-ticket-key-cipher, the file must contain exactly
bytes. If aes-256-cbc is given in --tls-ticket-cipher, 48 bytes. If aes-256-cbc is given in
the file must contain exactly 80 bytes. This options --tls-ticket-key-cipher, the file must contain exactly
can be used repeatedly to specify multiple ticket 80 bytes. This options can be used repeatedly to
parameters. If several files are given, only the first specify multiple ticket parameters. If several files
key is used to encrypt TLS session tickets. Other keys are given, only the first key is used to encrypt TLS
are accepted but server will issue new session ticket session tickets. Other keys are accepted but server
with first key. This allows session key rotation. will issue new session ticket with first key. This
Please note that key rotation does not occur allows session key rotation. Please note that key
automatically. User should rearrange files or change rotation does not occur automatically. User should
options values and restart nghttpx gracefully. If rearrange files or change options values and restart
opening or reading given file fails, all loaded keys are nghttpx gracefully. If opening or reading given file
discarded and it is treated as if none of this option is fails, all loaded keys are discarded and it is treated
given. If this option is not given or an error occurred as if none of this option is given. If this option is
while opening or reading a file, key is generated every not given or an error occurred while opening or reading
1 hour internally and they are valid for 12 hours. This a file, key is generated every 1 hour internally and
is recommended if ticket key sharing between nghttpx they are valid for 12 hours. This is recommended if
instances is not required. ticket key sharing between nghttpx instances is not
required.
--tls-ticket-key-memcached=<HOST>,<PORT> --tls-ticket-key-memcached=<HOST>,<PORT>
Specify address of memcached server to store session Specify address of memcached server to store session
cache. This enables shared TLS ticket key between cache. This enables shared TLS ticket key between
@ -1507,7 +1508,7 @@ SSL/TLS:
disabling TLS ticket until next scheduled key retrieval. disabling TLS ticket until next scheduled key retrieval.
Default: )" << get_config()->tls_ticket_key_memcached_max_fail Default: )" << get_config()->tls_ticket_key_memcached_max_fail
<< R"( << R"(
--tls-ticket-cipher=<TICKET_CIPHER> --tls-ticket-key-cipher=<CIPHER>
Specify cipher to encrypt TLS session ticket. Specify Specify cipher to encrypt TLS session ticket. Specify
either aes-128-cbc or aes-256-cbc. By default, either aes-128-cbc or aes-256-cbc. By default,
aes-128-cbc is used. aes-128-cbc is used.
@ -1885,7 +1886,7 @@ int main(int argc, char **argv) {
{SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81}, {SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81},
{SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82}, {SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82},
{SHRPX_OPT_INCLUDE, required_argument, &flag, 83}, {SHRPX_OPT_INCLUDE, required_argument, &flag, 83},
{SHRPX_OPT_TLS_TICKET_CIPHER, required_argument, &flag, 84}, {SHRPX_OPT_TLS_TICKET_KEY_CIPHER, required_argument, &flag, 84},
{SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85}, {SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85},
{SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED, required_argument, &flag, 86}, {SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED, required_argument, &flag, 86},
{SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED, required_argument, &flag, 87}, {SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED, required_argument, &flag, 87},
@ -2262,8 +2263,8 @@ int main(int argc, char **argv) {
cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg); cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg);
break; break;
case 84: case 84:
// --tls-ticket-cipher // --tls-ticket-key-cipher
cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_CIPHER, optarg); cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_KEY_CIPHER, optarg);
break; break;
case 85: case 85:
// --host-rewrite // --host-rewrite

View File

@ -704,7 +704,7 @@ enum {
SHRPX_OPTID_SYSLOG_FACILITY, SHRPX_OPTID_SYSLOG_FACILITY,
SHRPX_OPTID_TLS_PROTO_LIST, SHRPX_OPTID_TLS_PROTO_LIST,
SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED, SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
SHRPX_OPTID_TLS_TICKET_CIPHER, SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
SHRPX_OPTID_TLS_TICKET_KEY_FILE, SHRPX_OPTID_TLS_TICKET_KEY_FILE,
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED, SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL, SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
@ -1003,11 +1003,6 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_WORKER_WRITE_RATE; return SHRPX_OPTID_WORKER_WRITE_RATE;
} }
break; break;
case 'r':
if (util::strieq_l("tls-ticket-ciphe", name, 16)) {
return SHRPX_OPTID_TLS_TICKET_CIPHER;
}
break;
case 's': case 's':
if (util::strieq_l("max-header-field", name, 16)) { if (util::strieq_l("max-header-field", name, 16)) {
return SHRPX_OPTID_MAX_HEADER_FIELDS; return SHRPX_OPTID_MAX_HEADER_FIELDS;
@ -1094,6 +1089,11 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_BACKEND_TLS_SNI_FIELD; return SHRPX_OPTID_BACKEND_TLS_SNI_FIELD;
} }
break; break;
case 'r':
if (util::strieq_l("tls-ticket-key-ciphe", name, 20)) {
return SHRPX_OPTID_TLS_TICKET_KEY_CIPHER;
}
break;
case 't': case 't':
if (util::strieq_l("backend-write-timeou", name, 20)) { if (util::strieq_l("backend-write-timeou", name, 20)) {
return SHRPX_OPTID_BACKEND_WRITE_TIMEOUT; return SHRPX_OPTID_BACKEND_WRITE_TIMEOUT;
@ -1879,17 +1879,17 @@ int parse_config(const char *opt, const char *optarg,
return 0; return 0;
} }
case SHRPX_OPTID_TLS_TICKET_CIPHER: case SHRPX_OPTID_TLS_TICKET_KEY_CIPHER:
if (util::strieq(optarg, "aes-128-cbc")) { if (util::strieq(optarg, "aes-128-cbc")) {
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc(); mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
} else if (util::strieq(optarg, "aes-256-cbc")) { } else if (util::strieq(optarg, "aes-256-cbc")) {
mod_config()->tls_ticket_cipher = EVP_aes_256_cbc(); mod_config()->tls_ticket_key_cipher = EVP_aes_256_cbc();
} else { } else {
LOG(ERROR) << opt LOG(ERROR) << opt
<< ": unsupported cipher for ticket encryption: " << optarg; << ": unsupported cipher for ticket encryption: " << optarg;
return -1; return -1;
} }
mod_config()->tls_ticket_cipher_given = true; mod_config()->tls_ticket_key_cipher_given = true;
return 0; return 0;
case SHRPX_OPTID_HOST_REWRITE: case SHRPX_OPTID_HOST_REWRITE:

View File

@ -171,7 +171,7 @@ constexpr char SHRPX_OPT_NO_OCSP[] = "no-ocsp";
constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer"; constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer";
constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields"; constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields";
constexpr char SHRPX_OPT_INCLUDE[] = "include"; constexpr char SHRPX_OPT_INCLUDE[] = "include";
constexpr char SHRPX_OPT_TLS_TICKET_CIPHER[] = "tls-ticket-cipher"; constexpr char SHRPX_OPT_TLS_TICKET_KEY_CIPHER[] = "tls-ticket-key-cipher";
constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite"; constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite";
constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] = constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] =
"tls-session-cache-memcached"; "tls-session-cache-memcached";
@ -320,7 +320,7 @@ struct Config {
nghttp2_session_callbacks *http2_downstream_callbacks; nghttp2_session_callbacks *http2_downstream_callbacks;
nghttp2_option *http2_option; nghttp2_option *http2_option;
nghttp2_option *http2_client_option; nghttp2_option *http2_client_option;
const EVP_CIPHER *tls_ticket_cipher; const EVP_CIPHER *tls_ticket_key_cipher;
const char *server_name; const char *server_name;
char **argv; char **argv;
char *cwd; char *cwd;
@ -403,8 +403,8 @@ struct Config {
// true if host contains UNIX domain socket path // true if host contains UNIX domain socket path
bool host_unix; bool host_unix;
bool no_ocsp; bool no_ocsp;
// true if --tls-ticket-cipher is used // true if --tls-ticket-key-cipher is used
bool tls_ticket_cipher_given; bool tls_ticket_key_cipher_given;
}; };
const Config *get_config(); const Config *get_config();

View File

@ -338,7 +338,7 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
std::copy(std::begin(key.data.name), std::end(key.data.name), key_name); std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_cipher, nullptr, EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_key_cipher, nullptr,
key.data.enc_key.data(), iv); key.data.enc_key.data(), iv);
HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac, HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
nullptr); nullptr);