dnsdist: move the setTicketsKeyAddedHook to a unique callback for eve…

…ry tls context
chbruyand · Jun 27, 2024 · 195f89a · 195f89a
1 parent 3cf627a
commit 195f89a
Show file tree

Hide file tree

Showing 11 changed files with 65 additions and 113 deletions.
diff --git a/pdns/dnsdistdist/dnsdist-doh-common.cc b/pdns/dnsdistdist/dnsdist-doh-common.cc
@@ -94,11 +94,6 @@ void DOHFrontend::rotateTicketsKey(time_t now)
   return d_tlsContext.rotateTicketsKey(now);
 }
 
-void DOHFrontend::setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook)
-{
-  return d_tlsContext.setTicketsKeyAddedHook(hook);
-}
-
 void DOHFrontend::loadTicketsKeys(const std::string& keyFile)
 {
   return d_tlsContext.loadTicketsKeys(keyFile);

diff --git a/pdns/dnsdistdist/dnsdist-doh-common.hh b/pdns/dnsdistdist/dnsdist-doh-common.hh
@@ -162,10 +162,6 @@ struct DOHFrontend
   {
   }
 
-  virtual void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& /* hook */)
-  {
-  }
-
   virtual void loadTicketsKeys(const std::string& /* keyFile */)
   {
   }
@@ -189,7 +185,6 @@ struct DOHFrontend
   virtual void setup();
   virtual void reloadCertificates();
 
-  virtual void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook);
   virtual void rotateTicketsKey(time_t now);
   virtual void loadTicketsKeys(const std::string& keyFile);
   virtual void handleTicketsKeyRotation();

diff --git a/pdns/dnsdistdist/dnsdist-lua-hooks.cc b/pdns/dnsdistdist/dnsdist-lua-hooks.cc
@@ -2,6 +2,7 @@
 #include "dnsdist-lua-hooks.hh"
 #include "dnsdist-lua.hh"
 #include "lock.hh"
+#include "tcpiohandler.hh"
 
 namespace dnsdist::lua::hooks
 {
@@ -26,12 +27,28 @@ void clearMaintenanceHooks()
   s_maintenanceHooks.lock()->clear();
 }
 
+void setTicketsKeyAddedHook(const LuaContext& context, const TicketsKeyAddedHook& hook)
+{
+  TLSCtx::setTicketsKeyAddedHook([hook](const std::string& key) {
+    try {
+      hook(key.c_str(), key.size());
+    }
+    catch (const std::exception& exp) {
+      warnlog("Error calling the Lua hook after new tickets key has been added", exp.what());
+    }
+  });
+}
+
 void setupLuaHooks(LuaContext& luaCtx)
 {
   luaCtx.writeFunction("addMaintenanceCallback", [&luaCtx](const MaintenanceCallback& callback) {
     setLuaSideEffect();
     addMaintenanceCallback(luaCtx, callback);
   });
+  luaCtx.writeFunction("setTicketsKeyAddedHook", [&luaCtx](const TicketsKeyAddedHook& hook) {
+    setLuaSideEffect();
+    setTicketsKeyAddedHook(luaCtx, hook);
+  });
 }
 
 }
diff --git a/pdns/dnsdistdist/dnsdist-lua-hooks.hh b/pdns/dnsdistdist/dnsdist-lua-hooks.hh
@@ -28,8 +28,11 @@ class LuaContext;
 namespace dnsdist::lua::hooks
 {
 using MaintenanceCallback = std::function<void()>;
+using TicketsKeyAddedHook = std::function<void(const char*, size_t)>;
+
 void runMaintenanceHooks(const LuaContext& context);
 void addMaintenanceCallback(const LuaContext& context, MaintenanceCallback callback);
+void setTicketsKeyAddedHook(const LuaContext& context, const TicketsKeyAddedHook& hook);
 void clearMaintenanceHooks();
 void setupLuaHooks(LuaContext& luaCtx);
 }
diff --git a/pdns/dnsdistdist/dnsdist-lua.cc b/pdns/dnsdistdist/dnsdist-lua.cc
@@ -3011,13 +3011,6 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
     }
   });
 
-
-  luaCtx.registerFunction<void (std::shared_ptr<DOHFrontend>::*)(const dnsdist_tickets_key_added_hook&)>("setTicketsKeyAddedHook", [](const std::shared_ptr<DOHFrontend>& frontend, const dnsdist_tickets_key_added_hook& hook) {
-    if (frontend != nullptr) {
-      frontend->setTicketsKeyAddedHook(hook);
-    }
-  });
-
   luaCtx.registerFunction<void (std::shared_ptr<DOHFrontend>::*)(const LuaArray<std::shared_ptr<DOHResponseMapEntry>>&)>("setResponsesMap", [](const std::shared_ptr<DOHFrontend>& frontend, const LuaArray<std::shared_ptr<DOHResponseMapEntry>>& map) {
     if (frontend != nullptr) {
       auto newMap = std::make_shared<std::vector<std::shared_ptr<DOHResponseMapEntry>>>();
@@ -3215,12 +3208,6 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
     }
   });
 
-  luaCtx.registerFunction<void (std::shared_ptr<TLSCtx>::*)(const dnsdist_tickets_key_added_hook&)>("setTicketsKeyAddedHook", [](const std::shared_ptr<TLSCtx>& frontend, const dnsdist_tickets_key_added_hook& hook) {
-    if (frontend != nullptr) {
-      frontend->setTicketsKeyAddedHook(hook);
-    }
-  });
-
   luaCtx.registerFunction<void (std::shared_ptr<TLSCtx>::*)(const std::string&)>("loadTicketsKeys", [](std::shared_ptr<TLSCtx>& ctx, const std::string& file) {
     if (ctx != nullptr) {
       ctx->loadTicketsKeys(file);
@@ -3234,16 +3221,6 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
     return frontend->d_addr.toStringWithPort();
   });
 
-  luaCtx.registerFunction<void (std::shared_ptr<TLSFrontend>::*)(const dnsdist_tickets_key_added_hook&)>("setTicketsKeyAddedHook", [](const std::shared_ptr<TLSFrontend>& frontend, const dnsdist_tickets_key_added_hook& hook) {
-    if (frontend == nullptr) {
-      return;
-    }
-      auto ctx = frontend->getContext();
-    if (ctx) {
-      ctx->setTicketsKeyAddedHook(hook);
-    }
-  });
-
   luaCtx.registerFunction<void (std::shared_ptr<TLSFrontend>::*)()>("rotateTicketsKey", [](std::shared_ptr<TLSFrontend>& frontend) {
     if (frontend == nullptr) {
       return;

diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst
@@ -2173,6 +2173,17 @@ Other functions
   Code is supplied as a string, not as a function object.
   Note that this function does nothing in 'client' or 'config-check' modes.
 
+.. function:: setTicketsKeyAddedHook(callback)
+
+  .. versionadded:: 1.9.0
+
+  Set a Lua function that will be called everytime a new tickets key is added. The function receives:
+
+  * the key content as a string
+  * the keylen as an integer
+
+  See :doc:`../advanced/tls-sessions-management` for more information.
+
 .. function:: submitToMainThread(cmd, dict)
 
   .. versionadded:: 1.8.0
@@ -2322,17 +2333,6 @@ DOHFrontend
 
      Replace the current TLS tickets key by a new random one.
 
-  .. method:: DOHFrontend:setTicketsKeyAddedHook(callback)
-
-     .. versionadded:: 1.9.0
-
-    Set a Lua function that will be called everytime a new tickets key is added. The function receives:
-
-    * the key content as a string
-    * the keylen as an integer
-
-    See :doc:`../advanced/tls-sessions-management` for more information.
-
   .. method:: DOHFrontend:setResponsesMap(rules)
 
      Set a list of HTTP response rules allowing to intercept HTTP queries very early, before the DNS payload has been processed, and send custom responses including error pages, redirects and static content.
@@ -2475,17 +2475,6 @@ TLSContext
 
      Replace the current TLS tickets key by a new random one.
 
-  .. method:: TLSContext:setTicketsKeyAddedHook(callback)
-
-     .. versionadded:: 1.9.0
-
-    Set a Lua function that will be called everytime a new tickets key is added. The function receives:
-
-    * the key content as a string
-    * the keylen as an integer
-
-    See :doc:`../advanced/tls-sessions-management` for more information.
-
 TLSFrontend
 ~~~~~~~~~~~
 
@@ -2527,17 +2516,6 @@ TLSFrontend
 
      Replace the current TLS tickets key by a new random one.
 
-  .. method:: TLSFrontend:setTicketsKeyAddedHook(callback)
-
-     .. versionadded:: 1.9.0
-
-    Set a Lua function that will be called everytime a new tickets key is added. The function receives:
-
-    * the key content as a string
-    * the keylen as an integer
-
-    See :doc:`../advanced/tls-sessions-management` for more information.
-
 EDNS on Self-generated answers
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
@@ -42,6 +42,7 @@
 
 #undef CERT
 #include "misc.hh"
+#include "tcpiohandler.hh"
 
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL || (defined LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2090100fL)
 /* OpenSSL < 1.1.0 needs support for threading/locking in the calling application. */
@@ -631,18 +632,13 @@ OpenSSLTLSTicketKeysRing::~OpenSSLTLSTicketKeysRing() = default;
 void OpenSSLTLSTicketKeysRing::addKey(std::shared_ptr<OpenSSLTLSTicketKey>&& newKey)
 {
   d_ticketKeys.write_lock()->push_front(std::move(newKey));
-  if (d_ticketsKeyAddedHook) {
+  if (TLSCtx::hasTicketsKeyAddedHook()) {
     auto key = d_ticketKeys.read_lock()->front();
     auto keyContent = key->content();
-    d_ticketsKeyAddedHook(keyContent.c_str(), keyContent.size());
+    TLSCtx::getTicketsKeyAddedHook()(keyContent);
   }
 }
 
-void OpenSSLTLSTicketKeysRing::setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook)
-{
-  d_ticketsKeyAddedHook = hook;
-}
-
 std::shared_ptr<OpenSSLTLSTicketKey> OpenSSLTLSTicketKeysRing::getEncryptionKey()
 {
   return d_ticketKeys.read_lock()->front();

diff --git a/pdns/libssl.hh b/pdns/libssl.hh
@@ -112,8 +112,6 @@ private:
   unsigned char d_hmacKey[TLS_TICKETS_MAC_KEY_SIZE];
 };
 
-using dnsdist_tickets_key_added_hook = std::function<void(const char* key, size_t keyLen)>;
-
 class OpenSSLTLSTicketKeysRing
 {
 public:
@@ -124,11 +122,9 @@ public:
   size_t getKeysCount();
   void loadTicketsKeys(const std::string& keyFile);
   void rotateTicketsKey(time_t now);
-  void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook);
 
 private:
   void addKey(std::shared_ptr<OpenSSLTLSTicketKey>&& newKey);
-  dnsdist_tickets_key_added_hook d_ticketsKeyAddedHook;
   SharedLockGuarded<boost::circular_buffer<std::shared_ptr<OpenSSLTLSTicketKey> > > d_ticketKeys;
 };
 

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
@@ -22,6 +22,7 @@ const bool TCPIOHandler::s_disableConnectForUnitTests = false;
 
 #include "libssl.hh"
 
+dnsdist_tickets_key_added_hook TLSCtx::s_ticketsKeyAddedHook{nullptr};
 
 class OpenSSLFrontendContext
 {
@@ -813,11 +814,6 @@ class OpenSSLTLSIOCtx: public TLSCtx
     }
   }
 
-  void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook) override
-  {
-    d_feContext->d_ticketKeys.setTicketsKeyAddedHook(hook);
-  }
-
   void loadTicketsKeys(const std::string& keyFile) final
   {
     d_feContext->d_ticketKeys.loadTicketsKeys(keyFile);
@@ -1743,19 +1739,12 @@ class GnuTLSIOCtx: public TLSCtx
     return connection;
   }
 
-  void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook) override
-  {
-    d_ticketsKeyAddedHook = hook;
-  }
-
-  void rotateTicketsKey(time_t now) override
+  void addTicketsKey(time_t now, std::shared_ptr<GnuTLSTicketsKey>&& newKey)
   {
     if (!d_enableTickets) {
       return;
     }
 
-    auto newKey = std::make_shared<GnuTLSTicketsKey>();
-
     {
       *(d_ticketsKey.write_lock()) = std::move(newKey);
     }
@@ -1764,27 +1753,29 @@ class GnuTLSIOCtx: public TLSCtx
       d_ticketsKeyNextRotation = now + d_ticketsKeyRotationDelay;
     }
 
-    if (d_ticketsKeyAddedHook) {
+    if (TLSCtx::hasTicketsKeyAddedHook()) {
       auto ticketsKey = *(d_ticketsKey.read_lock());
       auto content = ticketsKey->content();
-      d_ticketsKeyAddedHook(content.c_str(), content.size());
+      TLSCtx::getTicketsKeyAddedHook()(content);
     }
   }
+  void rotateTicketsKey(time_t now) override
+  {
+    if (!d_enableTickets) {
+      return;
+    }
 
+    auto newKey = std::make_shared<GnuTLSTicketsKey>();
+    addTicketsKey(now, std::move(newKey));
+  }
   void loadTicketsKeys(const std::string& file) final
   {
     if (!d_enableTickets) {
       return;
     }
 
     auto newKey = std::make_shared<GnuTLSTicketsKey>(file);
-    {
-      *(d_ticketsKey.write_lock()) = std::move(newKey);
-    }
-
-    if (d_ticketsKeyRotationDelay > 0) {
-      d_ticketsKeyNextRotation = time(nullptr) + d_ticketsKeyRotationDelay;
-    }
+    addTicketsKey(time(nullptr), std::move(newKey));
   }
 
   size_t getTicketsKeysCount() override
@@ -1816,7 +1807,6 @@ class GnuTLSIOCtx: public TLSCtx
   SharedLockGuarded<std::shared_ptr<GnuTLSTicketsKey>> d_ticketsKey{nullptr};
   bool d_enableTickets{true};
   bool d_validateCerts{true};
-  dnsdist_tickets_key_added_hook d_ticketsKeyAddedHook;
 };
 
 #endif /* HAVE_GNUTLS */

diff --git a/pdns/tcpiohandler.hh b/pdns/tcpiohandler.hh
@@ -66,6 +66,8 @@ protected:
   bool d_resumedFromInactiveTicketKey{false};
 };
 
+using dnsdist_tickets_key_added_hook = std::function<void(const std::string& key)>;
+
 class TLSCtx
 {
 public:
@@ -81,11 +83,6 @@ public:
   {
     throw std::runtime_error("This TLS backend does not have the capability to load a tickets key from a file");
   }
-  virtual void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& /* hook */)
-  {
-    throw std::runtime_error("This TLS backend does not have the capability to setup a hook for added tickets keys");
-  }
-
   void handleTicketsKeyRotation(time_t now)
   {
     if (d_ticketsKeyRotationDelay != 0 && now > d_ticketsKeyNextRotation) {
@@ -128,10 +125,25 @@ public:
     return false;
   }
 
+  static void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook)
+  {
+    TLSCtx::s_ticketsKeyAddedHook = hook;
+  }
+  static const dnsdist_tickets_key_added_hook& getTicketsKeyAddedHook()
+  {
+    return TLSCtx::s_ticketsKeyAddedHook;
+  }
+  static bool hasTicketsKeyAddedHook()
+  {
+    return TLSCtx::s_ticketsKeyAddedHook != nullptr;
+  }
 protected:
   std::atomic_flag d_rotatingTicketsKey;
   std::atomic<time_t> d_ticketsKeyNextRotation{0};
   time_t d_ticketsKeyRotationDelay{0};
+
+private:
+  static dnsdist_tickets_key_added_hook s_ticketsKeyAddedHook;
 };
 
 class TLSFrontend
@@ -156,13 +168,6 @@ public:
     }
   }
 
-  void setTicketsKeyAddedHook(const dnsdist_tickets_key_added_hook& hook)
-  {
-    if (d_ctx != nullptr) {
-      d_ctx->setTicketsKeyAddedHook(hook);
-    }
-  }
-
   void loadTicketsKeys(const std::string& file)
   {
     if (d_ctx != nullptr) {