diff --git a/pdns/dnsdistdist/dnsdist-lua-hooks.cc b/pdns/dnsdistdist/dnsdist-lua-hooks.cc index a5e984e3056e1..2904cd37926a0 100644 --- a/pdns/dnsdistdist/dnsdist-lua-hooks.cc +++ b/pdns/dnsdistdist/dnsdist-lua-hooks.cc @@ -6,6 +6,9 @@ namespace dnsdist::lua::hooks { +using MaintenanceCallback = std::function; +using TicketsKeyAddedHook = std::function; + static LockGuarded> s_maintenanceHooks; void runMaintenanceHooks(const LuaContext& context) @@ -16,7 +19,7 @@ void runMaintenanceHooks(const LuaContext& context) } } -void addMaintenanceCallback(const LuaContext& context, MaintenanceCallback callback) +static void addMaintenanceCallback(const LuaContext& context, MaintenanceCallback callback) { (void)context; s_maintenanceHooks.lock()->push_back(std::move(callback)); @@ -27,7 +30,7 @@ void clearMaintenanceHooks() s_maintenanceHooks.lock()->clear(); } -void setTicketsKeyAddedHook(const LuaContext& context, const TicketsKeyAddedHook& hook) +static void setTicketsKeyAddedHook(const LuaContext& context, const TicketsKeyAddedHook& hook) { TLSCtx::setTicketsKeyAddedHook([hook](const std::string& key) { try { @@ -35,7 +38,7 @@ void setTicketsKeyAddedHook(const LuaContext& context, const TicketsKeyAddedHook hook(key.c_str(), key.size()); } catch (const std::exception& exp) { - warnlog("Error calling the Lua hook after new tickets key has been added", exp.what()); + warnlog("Error calling the Lua hook after new tickets key has been added: %s", exp.what()); } }); } diff --git a/pdns/dnsdistdist/dnsdist-lua-hooks.hh b/pdns/dnsdistdist/dnsdist-lua-hooks.hh index 8cbb7c903ae91..e35c0f10ac5f9 100644 --- a/pdns/dnsdistdist/dnsdist-lua-hooks.hh +++ b/pdns/dnsdistdist/dnsdist-lua-hooks.hh @@ -27,12 +27,7 @@ class LuaContext; namespace dnsdist::lua::hooks { -using MaintenanceCallback = std::function; -using TicketsKeyAddedHook = std::function; - void runMaintenanceHooks(const LuaContext& context); -void addMaintenanceCallback(const LuaContext& context, MaintenanceCallback callback); -void setTicketsKeyAddedHook(const LuaContext& context, const TicketsKeyAddedHook& hook); void clearMaintenanceHooks(); void setupLuaHooks(LuaContext& luaCtx); } diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 80ad8ab46546d..7e8165968ab1c 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -2175,7 +2175,7 @@ Other functions .. function:: setTicketsKeyAddedHook(callback) - .. versionadded:: 1.9.0 + .. versionadded:: 1.9.6 Set a Lua function that will be called everytime a new tickets key is added. The function receives: diff --git a/pdns/libssl.cc b/pdns/libssl.cc index 4a2299a37a168..3f1a86b0ceb40 100644 --- a/pdns/libssl.cc +++ b/pdns/libssl.cc @@ -636,6 +636,8 @@ void OpenSSLTLSTicketKeysRing::addKey(std::shared_ptr&& new auto key = d_ticketKeys.read_lock()->front(); auto keyContent = key->content(); TLSCtx::getTicketsKeyAddedHook()(keyContent); + // fills mem with 0's + OPENSSL_cleanse(keyContent.data(), keyContent.size()); } } diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc index 094a3e8baa955..931da271bd2c4 100644 --- a/pdns/tcpiohandler.cc +++ b/pdns/tcpiohandler.cc @@ -994,6 +994,7 @@ class GnuTLSTicketsKey if (d_key.data != nullptr && d_key.size > 0) { // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast) result.append(reinterpret_cast(d_key.data), d_key.size); + safe_memory_lock(result.data(), result.size()); } return result; } @@ -1758,6 +1759,7 @@ class GnuTLSIOCtx: public TLSCtx auto ticketsKey = *(d_ticketsKey.read_lock()); auto content = ticketsKey->content(); TLSCtx::getTicketsKeyAddedHook()(content); + safe_memory_release(content.data(), content.size()); } } void rotateTicketsKey(time_t now) override