walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Rename --tls-ticket-cipher as --tls-ticket-key-cipher

This commit is contained in:
Tatsuhiro Tsujikawa 2015-07-28 23:49:37 +09:00
parent 80d96590c5
commit a1288a5826
5 changed files with 51 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gennghttpxfun.py
View File

@ -91,7 +91,7 @@ OPTIONS = [
"header-field-buffer",
"max-header-fields",
"include",
"tls-ticket-cipher",
"tls-ticket-key-cipher",
"host-rewrite",
"tls-session-cache-memcached",
"tls-ticket-key-memcached",

69
src/shrpx.cc
View File

@ -608,7 +608,7 @@ void graceful_shutdown_signal_cb(struct ev_loop *loop, ev_signal *w,
namespace {
int generate_ticket_key(TicketKey &ticket_key) {
ticket_key.cipher = get_config()->tls_ticket_cipher;
ticket_key.cipher = get_config()->tls_ticket_key_cipher;
ticket_key.hmac = EVP_sha256();
ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);
@ -738,11 +738,11 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
size_t expectedlen;
size_t enc_keylen;
size_t hmac_keylen;
if (get_config()->tls_ticket_cipher == EVP_aes_128_cbc()) {
if (get_config()->tls_ticket_key_cipher == EVP_aes_128_cbc()) {
expectedlen = 48;
enc_keylen = 16;
hmac_keylen = 16;
} else if (get_config()->tls_ticket_cipher == EVP_aes_256_cbc()) {
} else if (get_config()->tls_ticket_key_cipher == EVP_aes_256_cbc()) {
expectedlen = 80;
enc_keylen = 32;
hmac_keylen = 32;
@ -773,7 +773,7 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
return;
}
auto key = TicketKey();
key.cipher = get_config()->tls_ticket_cipher;
key.cipher = get_config()->tls_ticket_key_cipher;
key.hmac = EVP_sha256();
key.hmac_keylen = EVP_MD_size(key.hmac);
@ -874,18 +874,18 @@ int event_loop() {
} else {
bool auto_tls_ticket_key = true;
if (!get_config()->tls_ticket_key_files.empty()) {
if (!get_config()->tls_ticket_cipher_given) {
if (!get_config()->tls_ticket_key_cipher_given) {
LOG(WARN)
<< "It is strongly recommended to specify "
"--tls-ticket-cipher=aes-128-cbc (or "
"tls-ticket-cipher=aes-128-cbc in configuration file) "
"--tls-ticket-key-cipher=aes-128-cbc (or "
"tls-ticket-key-cipher=aes-128-cbc in configuration file) "
"when --tls-ticket-key-file is used for the smooth "
"transition when the default value of --tls-ticket-cipher "
"transition when the default value of --tls-ticket-key-cipher "
"becomes aes-256-cbc";
}
auto ticket_keys = read_tls_ticket_key_file(
get_config()->tls_ticket_key_files, get_config()->tls_ticket_cipher,
EVP_sha256());
get_config()->tls_ticket_key_files,
get_config()->tls_ticket_key_cipher, EVP_sha256());
if (!ticket_keys) {
LOG(WARN) << "Use internal session ticket key generator";
} else {
@ -1142,8 +1142,8 @@ void fill_default_config() {
mod_config()->header_field_buffer = 64_k;
mod_config()->max_header_fields = 100;
mod_config()->downstream_addr_group_catch_all = 0;
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
mod_config()->tls_ticket_cipher_given = false;
mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
mod_config()->tls_ticket_key_cipher_given = false;
mod_config()->tls_session_timeout = std::chrono::hours(12);
mod_config()->tls_ticket_key_memcached_max_retry = 3;
mod_config()->tls_ticket_key_memcached_max_fail = 2;
@ -1461,24 +1461,25 @@ SSL/TLS:
--tls-ticket-key-file=<PATH>
Path to file that contains random data to construct TLS
session ticket parameters. If aes-128-cbc is given in
--tls-ticket-cipher, the file must contain exactly 48
bytes. If aes-256-cbc is given in --tls-ticket-cipher,
the file must contain exactly 80 bytes. This options
can be used repeatedly to specify multiple ticket
parameters. If several files are given, only the first
key is used to encrypt TLS session tickets. Other keys
are accepted but server will issue new session ticket
with first key. This allows session key rotation.
Please note that key rotation does not occur
automatically. User should rearrange files or change
options values and restart nghttpx gracefully. If
opening or reading given file fails, all loaded keys are
discarded and it is treated as if none of this option is
given. If this option is not given or an error occurred
while opening or reading a file, key is generated every
1 hour internally and they are valid for 12 hours. This
is recommended if ticket key sharing between nghttpx
instances is not required.
--tls-ticket-key-cipher, the file must contain exactly
48 bytes. If aes-256-cbc is given in
--tls-ticket-key-cipher, the file must contain exactly
80 bytes. This options can be used repeatedly to
specify multiple ticket parameters. If several files
are given, only the first key is used to encrypt TLS
session tickets. Other keys are accepted but server
will issue new session ticket with first key. This
allows session key rotation. Please note that key
rotation does not occur automatically. User should
rearrange files or change options values and restart
nghttpx gracefully. If opening or reading given file
fails, all loaded keys are discarded and it is treated
as if none of this option is given. If this option is
not given or an error occurred while opening or reading
a file, key is generated every 1 hour internally and
they are valid for 12 hours. This is recommended if
ticket key sharing between nghttpx instances is not
required.
--tls-ticket-key-memcached=<HOST>,<PORT>
Specify address of memcached server to store session
cache. This enables shared TLS ticket key between
@ -1507,7 +1508,7 @@ SSL/TLS:
disabling TLS ticket until next scheduled key retrieval.
Default: )" << get_config()->tls_ticket_key_memcached_max_fail
<< R"(
--tls-ticket-cipher=<TICKET_CIPHER>
--tls-ticket-key-cipher=<CIPHER>
Specify cipher to encrypt TLS session ticket. Specify
either aes-128-cbc or aes-256-cbc. By default,
aes-128-cbc is used.
@ -1885,7 +1886,7 @@ int main(int argc, char **argv) {
{SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81},
{SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82},
{SHRPX_OPT_INCLUDE, required_argument, &flag, 83},
{SHRPX_OPT_TLS_TICKET_CIPHER, required_argument, &flag, 84},
{SHRPX_OPT_TLS_TICKET_KEY_CIPHER, required_argument, &flag, 84},
{SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85},
{SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED, required_argument, &flag, 86},
{SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED, required_argument, &flag, 87},
@ -2262,8 +2263,8 @@ int main(int argc, char **argv) {
cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg);
break;
case 84:
// --tls-ticket-cipher
cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_CIPHER, optarg);
// --tls-ticket-key-cipher
cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_KEY_CIPHER, optarg);
break;
case 85:
// --host-rewrite

20
src/shrpx_config.cc
View File

@ -704,7 +704,7 @@ enum {
SHRPX_OPTID_SYSLOG_FACILITY,
SHRPX_OPTID_TLS_PROTO_LIST,
SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
SHRPX_OPTID_TLS_TICKET_CIPHER,
SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
SHRPX_OPTID_TLS_TICKET_KEY_FILE,
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
@ -1003,11 +1003,6 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_WORKER_WRITE_RATE;
}
break;
case 'r':
if (util::strieq_l("tls-ticket-ciphe", name, 16)) {
return SHRPX_OPTID_TLS_TICKET_CIPHER;
}
break;
case 's':
if (util::strieq_l("max-header-field", name, 16)) {
return SHRPX_OPTID_MAX_HEADER_FIELDS;
@ -1094,6 +1089,11 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_BACKEND_TLS_SNI_FIELD;
}
break;
case 'r':
if (util::strieq_l("tls-ticket-key-ciphe", name, 20)) {
return SHRPX_OPTID_TLS_TICKET_KEY_CIPHER;
}
break;
case 't':
if (util::strieq_l("backend-write-timeou", name, 20)) {
return SHRPX_OPTID_BACKEND_WRITE_TIMEOUT;
@ -1879,17 +1879,17 @@ int parse_config(const char *opt, const char *optarg,
return 0;
}
case SHRPX_OPTID_TLS_TICKET_CIPHER:
case SHRPX_OPTID_TLS_TICKET_KEY_CIPHER:
if (util::strieq(optarg, "aes-128-cbc")) {
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
} else if (util::strieq(optarg, "aes-256-cbc")) {
mod_config()->tls_ticket_cipher = EVP_aes_256_cbc();
mod_config()->tls_ticket_key_cipher = EVP_aes_256_cbc();
} else {
LOG(ERROR) << opt
<< ": unsupported cipher for ticket encryption: " << optarg;
return -1;
}
mod_config()->tls_ticket_cipher_given = true;
mod_config()->tls_ticket_key_cipher_given = true;
return 0;
case SHRPX_OPTID_HOST_REWRITE:

8
src/shrpx_config.h
View File

@ -171,7 +171,7 @@ constexpr char SHRPX_OPT_NO_OCSP[] = "no-ocsp";
constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer";
constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields";
constexpr char SHRPX_OPT_INCLUDE[] = "include";
constexpr char SHRPX_OPT_TLS_TICKET_CIPHER[] = "tls-ticket-cipher";
constexpr char SHRPX_OPT_TLS_TICKET_KEY_CIPHER[] = "tls-ticket-key-cipher";
constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite";
constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] =
"tls-session-cache-memcached";
@ -320,7 +320,7 @@ struct Config {
nghttp2_session_callbacks *http2_downstream_callbacks;
nghttp2_option *http2_option;
nghttp2_option *http2_client_option;
const EVP_CIPHER *tls_ticket_cipher;
const EVP_CIPHER *tls_ticket_key_cipher;
const char *server_name;
char **argv;
char *cwd;
@ -403,8 +403,8 @@ struct Config {
// true if host contains UNIX domain socket path
bool host_unix;
bool no_ocsp;
// true if --tls-ticket-cipher is used
bool tls_ticket_cipher_given;
// true if --tls-ticket-key-cipher is used
bool tls_ticket_key_cipher_given;
};
const Config *get_config();

2
src/shrpx_ssl.cc
View File

@ -338,7 +338,7 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_cipher, nullptr,
EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_key_cipher, nullptr,
key.data.enc_key.data(), iv);
HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
nullptr);