mirror of
https://gitee.com/openharmony/third_party_nghttp2
synced 2024-11-23 07:50:02 +00:00
nghttpx: Rename --tls-ticket-cipher as --tls-ticket-key-cipher
This commit is contained in:
parent
80d96590c5
commit
a1288a5826
@ -91,7 +91,7 @@ OPTIONS = [
|
||||
"header-field-buffer",
|
||||
"max-header-fields",
|
||||
"include",
|
||||
"tls-ticket-cipher",
|
||||
"tls-ticket-key-cipher",
|
||||
"host-rewrite",
|
||||
"tls-session-cache-memcached",
|
||||
"tls-ticket-key-memcached",
|
||||
|
69
src/shrpx.cc
69
src/shrpx.cc
@ -608,7 +608,7 @@ void graceful_shutdown_signal_cb(struct ev_loop *loop, ev_signal *w,
|
||||
|
||||
namespace {
|
||||
int generate_ticket_key(TicketKey &ticket_key) {
|
||||
ticket_key.cipher = get_config()->tls_ticket_cipher;
|
||||
ticket_key.cipher = get_config()->tls_ticket_key_cipher;
|
||||
ticket_key.hmac = EVP_sha256();
|
||||
ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);
|
||||
|
||||
@ -738,11 +738,11 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
|
||||
size_t expectedlen;
|
||||
size_t enc_keylen;
|
||||
size_t hmac_keylen;
|
||||
if (get_config()->tls_ticket_cipher == EVP_aes_128_cbc()) {
|
||||
if (get_config()->tls_ticket_key_cipher == EVP_aes_128_cbc()) {
|
||||
expectedlen = 48;
|
||||
enc_keylen = 16;
|
||||
hmac_keylen = 16;
|
||||
} else if (get_config()->tls_ticket_cipher == EVP_aes_256_cbc()) {
|
||||
} else if (get_config()->tls_ticket_key_cipher == EVP_aes_256_cbc()) {
|
||||
expectedlen = 80;
|
||||
enc_keylen = 32;
|
||||
hmac_keylen = 32;
|
||||
@ -773,7 +773,7 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
|
||||
return;
|
||||
}
|
||||
auto key = TicketKey();
|
||||
key.cipher = get_config()->tls_ticket_cipher;
|
||||
key.cipher = get_config()->tls_ticket_key_cipher;
|
||||
key.hmac = EVP_sha256();
|
||||
key.hmac_keylen = EVP_MD_size(key.hmac);
|
||||
|
||||
@ -874,18 +874,18 @@ int event_loop() {
|
||||
} else {
|
||||
bool auto_tls_ticket_key = true;
|
||||
if (!get_config()->tls_ticket_key_files.empty()) {
|
||||
if (!get_config()->tls_ticket_cipher_given) {
|
||||
if (!get_config()->tls_ticket_key_cipher_given) {
|
||||
LOG(WARN)
|
||||
<< "It is strongly recommended to specify "
|
||||
"--tls-ticket-cipher=aes-128-cbc (or "
|
||||
"tls-ticket-cipher=aes-128-cbc in configuration file) "
|
||||
"--tls-ticket-key-cipher=aes-128-cbc (or "
|
||||
"tls-ticket-key-cipher=aes-128-cbc in configuration file) "
|
||||
"when --tls-ticket-key-file is used for the smooth "
|
||||
"transition when the default value of --tls-ticket-cipher "
|
||||
"transition when the default value of --tls-ticket-key-cipher "
|
||||
"becomes aes-256-cbc";
|
||||
}
|
||||
auto ticket_keys = read_tls_ticket_key_file(
|
||||
get_config()->tls_ticket_key_files, get_config()->tls_ticket_cipher,
|
||||
EVP_sha256());
|
||||
get_config()->tls_ticket_key_files,
|
||||
get_config()->tls_ticket_key_cipher, EVP_sha256());
|
||||
if (!ticket_keys) {
|
||||
LOG(WARN) << "Use internal session ticket key generator";
|
||||
} else {
|
||||
@ -1142,8 +1142,8 @@ void fill_default_config() {
|
||||
mod_config()->header_field_buffer = 64_k;
|
||||
mod_config()->max_header_fields = 100;
|
||||
mod_config()->downstream_addr_group_catch_all = 0;
|
||||
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
|
||||
mod_config()->tls_ticket_cipher_given = false;
|
||||
mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
|
||||
mod_config()->tls_ticket_key_cipher_given = false;
|
||||
mod_config()->tls_session_timeout = std::chrono::hours(12);
|
||||
mod_config()->tls_ticket_key_memcached_max_retry = 3;
|
||||
mod_config()->tls_ticket_key_memcached_max_fail = 2;
|
||||
@ -1461,24 +1461,25 @@ SSL/TLS:
|
||||
--tls-ticket-key-file=<PATH>
|
||||
Path to file that contains random data to construct TLS
|
||||
session ticket parameters. If aes-128-cbc is given in
|
||||
--tls-ticket-cipher, the file must contain exactly 48
|
||||
bytes. If aes-256-cbc is given in --tls-ticket-cipher,
|
||||
the file must contain exactly 80 bytes. This options
|
||||
can be used repeatedly to specify multiple ticket
|
||||
parameters. If several files are given, only the first
|
||||
key is used to encrypt TLS session tickets. Other keys
|
||||
are accepted but server will issue new session ticket
|
||||
with first key. This allows session key rotation.
|
||||
Please note that key rotation does not occur
|
||||
automatically. User should rearrange files or change
|
||||
options values and restart nghttpx gracefully. If
|
||||
opening or reading given file fails, all loaded keys are
|
||||
discarded and it is treated as if none of this option is
|
||||
given. If this option is not given or an error occurred
|
||||
while opening or reading a file, key is generated every
|
||||
1 hour internally and they are valid for 12 hours. This
|
||||
is recommended if ticket key sharing between nghttpx
|
||||
instances is not required.
|
||||
--tls-ticket-key-cipher, the file must contain exactly
|
||||
48 bytes. If aes-256-cbc is given in
|
||||
--tls-ticket-key-cipher, the file must contain exactly
|
||||
80 bytes. This options can be used repeatedly to
|
||||
specify multiple ticket parameters. If several files
|
||||
are given, only the first key is used to encrypt TLS
|
||||
session tickets. Other keys are accepted but server
|
||||
will issue new session ticket with first key. This
|
||||
allows session key rotation. Please note that key
|
||||
rotation does not occur automatically. User should
|
||||
rearrange files or change options values and restart
|
||||
nghttpx gracefully. If opening or reading given file
|
||||
fails, all loaded keys are discarded and it is treated
|
||||
as if none of this option is given. If this option is
|
||||
not given or an error occurred while opening or reading
|
||||
a file, key is generated every 1 hour internally and
|
||||
they are valid for 12 hours. This is recommended if
|
||||
ticket key sharing between nghttpx instances is not
|
||||
required.
|
||||
--tls-ticket-key-memcached=<HOST>,<PORT>
|
||||
Specify address of memcached server to store session
|
||||
cache. This enables shared TLS ticket key between
|
||||
@ -1507,7 +1508,7 @@ SSL/TLS:
|
||||
disabling TLS ticket until next scheduled key retrieval.
|
||||
Default: )" << get_config()->tls_ticket_key_memcached_max_fail
|
||||
<< R"(
|
||||
--tls-ticket-cipher=<TICKET_CIPHER>
|
||||
--tls-ticket-key-cipher=<CIPHER>
|
||||
Specify cipher to encrypt TLS session ticket. Specify
|
||||
either aes-128-cbc or aes-256-cbc. By default,
|
||||
aes-128-cbc is used.
|
||||
@ -1885,7 +1886,7 @@ int main(int argc, char **argv) {
|
||||
{SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81},
|
||||
{SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82},
|
||||
{SHRPX_OPT_INCLUDE, required_argument, &flag, 83},
|
||||
{SHRPX_OPT_TLS_TICKET_CIPHER, required_argument, &flag, 84},
|
||||
{SHRPX_OPT_TLS_TICKET_KEY_CIPHER, required_argument, &flag, 84},
|
||||
{SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85},
|
||||
{SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED, required_argument, &flag, 86},
|
||||
{SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED, required_argument, &flag, 87},
|
||||
@ -2262,8 +2263,8 @@ int main(int argc, char **argv) {
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg);
|
||||
break;
|
||||
case 84:
|
||||
// --tls-ticket-cipher
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_CIPHER, optarg);
|
||||
// --tls-ticket-key-cipher
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_KEY_CIPHER, optarg);
|
||||
break;
|
||||
case 85:
|
||||
// --host-rewrite
|
||||
|
@ -704,7 +704,7 @@ enum {
|
||||
SHRPX_OPTID_SYSLOG_FACILITY,
|
||||
SHRPX_OPTID_TLS_PROTO_LIST,
|
||||
SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
|
||||
SHRPX_OPTID_TLS_TICKET_CIPHER,
|
||||
SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
|
||||
SHRPX_OPTID_TLS_TICKET_KEY_FILE,
|
||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
|
||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
|
||||
@ -1003,11 +1003,6 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||
return SHRPX_OPTID_WORKER_WRITE_RATE;
|
||||
}
|
||||
break;
|
||||
case 'r':
|
||||
if (util::strieq_l("tls-ticket-ciphe", name, 16)) {
|
||||
return SHRPX_OPTID_TLS_TICKET_CIPHER;
|
||||
}
|
||||
break;
|
||||
case 's':
|
||||
if (util::strieq_l("max-header-field", name, 16)) {
|
||||
return SHRPX_OPTID_MAX_HEADER_FIELDS;
|
||||
@ -1094,6 +1089,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||
return SHRPX_OPTID_BACKEND_TLS_SNI_FIELD;
|
||||
}
|
||||
break;
|
||||
case 'r':
|
||||
if (util::strieq_l("tls-ticket-key-ciphe", name, 20)) {
|
||||
return SHRPX_OPTID_TLS_TICKET_KEY_CIPHER;
|
||||
}
|
||||
break;
|
||||
case 't':
|
||||
if (util::strieq_l("backend-write-timeou", name, 20)) {
|
||||
return SHRPX_OPTID_BACKEND_WRITE_TIMEOUT;
|
||||
@ -1879,17 +1879,17 @@ int parse_config(const char *opt, const char *optarg,
|
||||
|
||||
return 0;
|
||||
}
|
||||
case SHRPX_OPTID_TLS_TICKET_CIPHER:
|
||||
case SHRPX_OPTID_TLS_TICKET_KEY_CIPHER:
|
||||
if (util::strieq(optarg, "aes-128-cbc")) {
|
||||
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
|
||||
mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
|
||||
} else if (util::strieq(optarg, "aes-256-cbc")) {
|
||||
mod_config()->tls_ticket_cipher = EVP_aes_256_cbc();
|
||||
mod_config()->tls_ticket_key_cipher = EVP_aes_256_cbc();
|
||||
} else {
|
||||
LOG(ERROR) << opt
|
||||
<< ": unsupported cipher for ticket encryption: " << optarg;
|
||||
return -1;
|
||||
}
|
||||
mod_config()->tls_ticket_cipher_given = true;
|
||||
mod_config()->tls_ticket_key_cipher_given = true;
|
||||
|
||||
return 0;
|
||||
case SHRPX_OPTID_HOST_REWRITE:
|
||||
|
@ -171,7 +171,7 @@ constexpr char SHRPX_OPT_NO_OCSP[] = "no-ocsp";
|
||||
constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer";
|
||||
constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields";
|
||||
constexpr char SHRPX_OPT_INCLUDE[] = "include";
|
||||
constexpr char SHRPX_OPT_TLS_TICKET_CIPHER[] = "tls-ticket-cipher";
|
||||
constexpr char SHRPX_OPT_TLS_TICKET_KEY_CIPHER[] = "tls-ticket-key-cipher";
|
||||
constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite";
|
||||
constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] =
|
||||
"tls-session-cache-memcached";
|
||||
@ -320,7 +320,7 @@ struct Config {
|
||||
nghttp2_session_callbacks *http2_downstream_callbacks;
|
||||
nghttp2_option *http2_option;
|
||||
nghttp2_option *http2_client_option;
|
||||
const EVP_CIPHER *tls_ticket_cipher;
|
||||
const EVP_CIPHER *tls_ticket_key_cipher;
|
||||
const char *server_name;
|
||||
char **argv;
|
||||
char *cwd;
|
||||
@ -403,8 +403,8 @@ struct Config {
|
||||
// true if host contains UNIX domain socket path
|
||||
bool host_unix;
|
||||
bool no_ocsp;
|
||||
// true if --tls-ticket-cipher is used
|
||||
bool tls_ticket_cipher_given;
|
||||
// true if --tls-ticket-key-cipher is used
|
||||
bool tls_ticket_key_cipher_given;
|
||||
};
|
||||
|
||||
const Config *get_config();
|
||||
|
@ -338,7 +338,7 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
|
||||
|
||||
std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);
|
||||
|
||||
EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_cipher, nullptr,
|
||||
EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_key_cipher, nullptr,
|
||||
key.data.enc_key.data(), iv);
|
||||
HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
|
||||
nullptr);
|
||||
|
Loading…
Reference in New Issue
Block a user