Repository: trafficserver
Updated Branches:
  refs/heads/master 1d617582b -> 5fe69772a


TS-2480: Fix to work in the case where there are no ticket key files but 
tickets have not been disabled. Also fix RHEL 5 compile error.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5fe69772
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5fe69772
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5fe69772

Branch: refs/heads/master
Commit: 5fe69772aa7e5e841349f3426a997930b44c0ff5
Parents: 1d61758
Author: shinrich <shinr...@yahoo-inc.com>
Authored: Thu Feb 5 19:24:08 2015 -0600
Committer: shinrich <shinr...@yahoo-inc.com>
Committed: Thu Feb 5 21:32:26 2015 -0600

----------------------------------------------------------------------
 iocore/net/SSLUtils.cc | 45 ++++++++++++++++++++++++++-------------------
 1 file changed, 26 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fe69772/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 055d396..f0265c6 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -543,28 +543,34 @@ ssl_context_enable_tickets(SSL_CTX * ctx, const char * 
ticket_key_path)
       Error("failed to read SSL session ticket key from %s", (const char 
*)ticket_key_path);
       goto fail;
     }
+  } else {
+     // Generate a random ticket key
+     ticket_key_len = 48;
+     ticket_key_data = (char *)ats_malloc(ticket_key_len);
+     char *tmp_ptr = ticket_key_data;
+     RAND_bytes(reinterpret_cast<unsigned char *>(tmp_ptr), ticket_key_len);
+  }
 
-    num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t);
-    if (num_ticket_keys == 0) {
-      Error("SSL session ticket key from %s is too short (>= 48 bytes are 
required)", (const char *)ticket_key_path);
-      goto fail;
-    }
+  num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t);
+  if (num_ticket_keys == 0) {
+    Error("SSL session ticket key from %s is too short (>= 48 bytes are 
required)", (const char *)ticket_key_path);
+    goto fail;
+  }
 
-    // Increase the stats.
-    if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run.
-      SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat);
-    }
+  // Increase the stats.
+  if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run.
+    SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat);
+  }
 
-    keyblock = ticket_block_alloc(num_ticket_keys);
+  keyblock = ticket_block_alloc(num_ticket_keys);
 
-    // Slurp all the keys in the ticket key file. We will encrypt with the 
first key, and decrypt
-    // with any key (for rotation purposes).
-    for (unsigned i = 0; i < num_ticket_keys; ++i) {
-      const char * data = (const char *)ticket_key_data + (i * 
sizeof(ssl_ticket_key_t));
-      memcpy(keyblock->keys[i].key_name, data, 
sizeof(ssl_ticket_key_t::key_name));
-      memcpy(keyblock->keys[i].hmac_secret, data + 
sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret));
-      memcpy(keyblock->keys[i].aes_key, data + 
sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), 
sizeof(ssl_ticket_key_t::aes_key));
-    }
+  // Slurp all the keys in the ticket key file. We will encrypt with the first 
key, and decrypt
+  // with any key (for rotation purposes).
+  for (unsigned i = 0; i < num_ticket_keys; ++i) {
+    const char * data = (const char *)ticket_key_data + (i * 
sizeof(ssl_ticket_key_t));
+    memcpy(keyblock->keys[i].key_name, data, 
sizeof(ssl_ticket_key_t::key_name));
+    memcpy(keyblock->keys[i].hmac_secret, data + 
sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret));
+    memcpy(keyblock->keys[i].aes_key, data + 
sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), 
sizeof(ssl_ticket_key_t::aes_key));
   }
 
   // Setting the callback can only fail if OpenSSL does not recognize the
@@ -1771,10 +1777,11 @@ ssl_store_ssl_context(
   if (SSLConfigParams::init_ssl_ctx_cb) {
     SSLConfigParams::init_ssl_ctx_cb(ctx, true);
   }
+#if HAVE_OPENSSL_SESSION_TICKETS
   if (!inserted && keyblock != NULL) {
     ticket_block_free(keyblock);
   }
-
+#endif
   return ctx;
 }
 

Reply via email to