[trafficserver] branch master updated: 1962: Reload keyblock from key file on every config reload

Mon, 12 Jun 2017 08:21:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

paziz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new b3adf64  1962: Reload keyblock from key file on every config reload
b3adf64 is described below

commit b3adf64e27ee27b209c6bbfdec6fa6be57755340
Author: Persia Aziz <per...@yahoo-inc.com>
AuthorDate: Tue May 23 16:11:23 2017 -0500

    1962: Reload keyblock from key file on every config reload
---
 cmd/traffic_manager/traffic_manager.cc |  2 +
 iocore/net/P_SSLConfig.h               | 33 +++++++++++++++-
 iocore/net/SSLConfig.cc                | 70 ++++++++++++++++++++++++++--------
 iocore/net/SSLNetProcessor.cc          |  1 +
 iocore/net/SSLUtils.cc                 |  2 +-
 mgmt/FileManager.cc                    |  3 +-
 mgmt/LocalManager.cc                   |  5 ++-
 7 files changed, 95 insertions(+), 21 deletions(-)

diff --git a/cmd/traffic_manager/traffic_manager.cc 
b/cmd/traffic_manager/traffic_manager.cc
index 34f6dd2..5575fa0 100644
--- a/cmd/traffic_manager/traffic_manager.cc
+++ b/cmd/traffic_manager/traffic_manager.cc
@@ -949,6 +949,8 @@ fileUpdated(char *fname, bool incVersion)
     mgmt_log("[fileUpdated] metrics.config file has been modified\n");
   } else if (strcmp(fname, "congestion.config") == 0) {
     lmgmt->signalFileChange("proxy.config.http.congestion_control.filename");
+  } else if (strcmp(fname, "proxy.config.ssl.server.ticket_key.filename") == 
0) {
+    lmgmt->signalFileChange("proxy.config.ssl.server.ticket_key.filename");
   } else {
     mgmt_log("[fileUpdated] Unknown config file updated '%s'\n", fname);
   }
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 2977464..7728a41 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -70,7 +70,6 @@ struct SSLConfigParams : public ConfigInfo {
   char *cipherSuite;
   char *client_cipherSuite;
   char *ticket_key_filename;
-  ssl_ticket_key_block *default_global_keyblock;
   int configExitOnLoadError;
   int clientCertLevel;
   int verify_depth;
@@ -142,7 +141,6 @@ struct SSLConfig {
   static void reconfigure();
   static SSLConfigParams *acquire();
   static void release(SSLConfigParams *params);
-
   typedef ConfigProcessor::scoped_config<SSLConfig, SSLConfigParams> 
scoped_config;
 
 private:
@@ -161,6 +159,37 @@ private:
   static int configid;
 };
 
+struct SSLTicketParams : public ConfigInfo {
+  ssl_ticket_key_block *default_global_keyblock;
+  char *ticket_key_filename;
+  void LoadTicket();
+  void cleanup();
+
+  ~SSLTicketParams() { cleanup(); }
+};
+
+struct SSLTicketKeyConfig {
+  static void startup();
+  static bool reconfigure();
+
+  static SSLTicketParams *
+  acquire()
+  {
+    return static_cast<SSLTicketParams *>(configProcessor.get(configid));
+  }
+
+  static void
+  release(SSLTicketParams *params)
+  {
+    configProcessor.release(configid, params);
+  }
+
+  typedef ConfigProcessor::scoped_config<SSLTicketKeyConfig, SSLTicketParams> 
scoped_config;
+
+private:
+  static int configid;
+};
+
 extern SSLSessionCache *session_cache;
 
 #endif
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 343b3d9..803ca57 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -43,6 +43,7 @@
 
 int SSLConfig::configid                                     = 0;
 int SSLCertificateConfig::configid                          = 0;
+int SSLTicketKeyConfig::configid                            = 0;
 int SSLConfigParams::ssl_maxrecord                          = 0;
 bool SSLConfigParams::ssl_allow_client_renegotiation        = false;
 bool SSLConfigParams::ssl_ocsp_enabled                      = false;
@@ -90,7 +91,6 @@ SSLConfigParams::reset()
   serverCertPathOnly = serverCertChainFilename = configFilePath = 
serverCACertFilename = serverCACertPath = clientCertPath =
     clientKeyPath = clientCACertFilename = clientCACertPath = cipherSuite = 
client_cipherSuite = dhparamsFile = serverKeyPathOnly =
       ticket_key_filename                                                      
                               = nullptr;
-  default_global_keyblock                                                      
                               = nullptr;
   client_ctx                                                                   
                               = nullptr;
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
   ssl_ctx_options                                                     = 
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
@@ -122,7 +122,7 @@ SSLConfigParams::cleanup()
   dhparamsFile            = (char *)ats_free_null(dhparamsFile);
   ssl_wire_trace_ip       = (IpAddr *)ats_free_null(ssl_wire_trace_ip);
   ticket_key_filename     = (char *)ats_free_null(ticket_key_filename);
-  ticket_block_free(default_global_keyblock);
+
   freeCTXmap();
   SSLReleaseContext(client_ctx);
   reset();
@@ -269,17 +269,6 @@ SSLConfigParams::initialize()
   ats_free(ssl_server_ca_cert_filename);
   ats_free(CACertRelativePath);
 
-#if HAVE_OPENSSL_SESSION_TICKETS
-
-  if (REC_ReadConfigStringAlloc(ticket_key_filename, 
"proxy.config.ssl.server.ticket_key.filename") == REC_ERR_OKAY &&
-      this->ticket_key_filename != nullptr) {
-    ats_scoped_str 
ticket_key_path(Layout::relative_to(this->serverCertPathOnly, 
this->ticket_key_filename));
-    default_global_keyblock = ssl_create_ticket_keyblock(ticket_key_path);
-  } else {
-    default_global_keyblock = ssl_create_ticket_keyblock(nullptr);
-  }
-#endif
-
   // SSL session cache configurations
   REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache");
   REC_ReadConfigInteger(ssl_session_cache_size, 
"proxy.config.ssl.session_cache.size");
@@ -477,12 +466,10 @@ SSLCertificateConfig::startup()
 {
   sslCertUpdate = new ConfigUpdateHandler<SSLCertificateConfig>();
   sslCertUpdate->attach("proxy.config.ssl.server.multicert.filename");
-  sslCertUpdate->attach("proxy.config.ssl.server.ticket_key.filename");
   sslCertUpdate->attach("proxy.config.ssl.server.cert.path");
   sslCertUpdate->attach("proxy.config.ssl.server.private_key.path");
   sslCertUpdate->attach("proxy.config.ssl.server.cert_chain.filename");
   sslCertUpdate->attach("proxy.config.ssl.server.session_ticket.enable");
-
   // Exit if there are problems on the certificate loading and the
   // proxy.config.ssl.server.multicert.exit_on_load_fail is true
   SSLConfig::scoped_config params;
@@ -535,3 +522,56 @@ SSLCertificateConfig::release(SSLCertLookup *lookup)
 {
   configProcessor.release(configid, lookup);
 }
+
+void
+SSLTicketParams::LoadTicket()
+{
+  cleanup();
+
+#if HAVE_OPENSSL_SESSION_TICKETS
+
+  SSLConfig::scoped_config params;
+
+  if (REC_ReadConfigStringAlloc(ticket_key_filename, 
"proxy.config.ssl.server.ticket_key.filename") == REC_ERR_OKAY &&
+      ticket_key_filename != nullptr) {
+    ats_scoped_str 
ticket_key_path(Layout::relative_to(params->serverCertPathOnly, 
ticket_key_filename));
+    default_global_keyblock = ssl_create_ticket_keyblock(ticket_key_path);
+  } else {
+    default_global_keyblock = ssl_create_ticket_keyblock(nullptr);
+  }
+  if (!default_global_keyblock) {
+    Fatal("Could not load Ticket Key from %s", ticket_key_filename);
+    return;
+  }
+  Debug("ssl", "ticket key reloaded from %s", ticket_key_filename);
+
+#endif
+}
+
+void
+SSLTicketKeyConfig::startup()
+{
+  auto sslTicketKey = new ConfigUpdateHandler<SSLTicketKeyConfig>();
+
+  sslTicketKey->attach("proxy.config.ssl.server.ticket_key.filename");
+  reconfigure();
+}
+
+bool
+SSLTicketKeyConfig::reconfigure()
+{
+  SSLTicketParams *ticketKey = new SSLTicketParams();
+
+  if (ticketKey)
+    ticketKey->LoadTicket();
+
+  configid = configProcessor.set(configid, ticketKey);
+  return true;
+}
+
+void
+SSLTicketParams::cleanup()
+{
+  ticket_block_free(default_global_keyblock);
+  ticket_key_filename = (char *)ats_free_null(ticket_key_filename);
+}
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index 2bc04a0..7ea82db 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -63,6 +63,7 @@ SSLNetProcessor::start(int, size_t stacksize)
   if (!SSLCertificateConfig::startup()) {
     return -1;
   }
+  SSLTicketKeyConfig::startup();
 
   // Acquire a SSLConfigParams instance *after* we start SSL up.
   // SSLConfig::scoped_config params;
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 0be99ec..8a047dc 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -2055,7 +2055,7 @@ ssl_callback_session_ticket(SSL *ssl, unsigned char 
*keyname, unsigned char *iv,
                             int enc)
 {
   SSLCertificateConfig::scoped_config lookup;
-  SSLConfig::scoped_config params;
+  SSLTicketKeyConfig::scoped_config params;
   SSLNetVConnection *netvc = SSLNetVCAccess(ssl);
 
   // Get the IP address to look up the keyblock
diff --git a/mgmt/FileManager.cc b/mgmt/FileManager.cc
index 78cb8ff..1953ff3 100644
--- a/mgmt/FileManager.cc
+++ b/mgmt/FileManager.cc
@@ -180,7 +180,7 @@ FileManager::fileChanged(const char *fileName, bool 
incVersion)
 {
   callbackListable *cb;
   char *filenameCopy;
-
+  Debug("lm", "filename changed %s", fileName);
   ink_mutex_acquire(&cbListLock);
 
   for (cb = cblist.head; cb != nullptr; cb = cb->link.next) {
@@ -667,6 +667,7 @@ FileManager::rereadConfig()
   if (found && enabled) {
     fileChanged("proxy.config.body_factory.template_sets_dir", true);
   }
+  fileChanged("proxy.config.ssl.server.ticket_key.filename", true);
 }
 
 bool
diff --git a/mgmt/LocalManager.cc b/mgmt/LocalManager.cc
index f3da137..eab9ac0 100644
--- a/mgmt/LocalManager.cc
+++ b/mgmt/LocalManager.cc
@@ -595,7 +595,8 @@ LocalManager::sendMgmtMsgToProcesses(MgmtMessageHdr *mh)
     }
     ink_assert(found);
     if (!(configFiles && configFiles->getRollbackObj(fname, &rb)) &&
-        (strcmp(data_raw, "proxy.config.body_factory.template_sets_dir") != 
0)) {
+        (strcmp(data_raw, "proxy.config.body_factory.template_sets_dir") != 0) 
&&
+        (strcmp(data_raw, "proxy.config.ssl.server.ticket_key.filename") != 
0)) {
       mgmt_fatal(0, "[LocalManager::sendMgmtMsgToProcesses] "
                     "Invalid 'data_raw' for MGMT_EVENT_CONFIG_FILE_UPDATE\n");
     }
@@ -733,7 +734,7 @@ LocalManager::processEventQueue()
         ink_assert(enqueue(mgmt_event_queue, mh));
         return;
       }
-      Debug("lm", "[TrafficManager] ==> Sending signal event '%d' payload=%d", 
mh->msg_id, mh->data_len);
+      Debug("lm", "[TrafficManager] ==> Sending signal event '%d' %s 
payload=%d", mh->msg_id, data_raw, mh->data_len);
       lmgmt->sendMgmtMsgToProcesses(mh);
     }
     ats_free(mh);

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <commits@trafficserver.apache.org>'].

Reply via email to