Repository: trafficserver Updated Branches: refs/heads/master 1d617582b -> 5fe69772a
TS-2480: Fix to work in the case where there are no ticket key files but tickets have not been disabled. Also fix RHEL 5 compile error. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5fe69772 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5fe69772 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5fe69772 Branch: refs/heads/master Commit: 5fe69772aa7e5e841349f3426a997930b44c0ff5 Parents: 1d61758 Author: shinrich <shinr...@yahoo-inc.com> Authored: Thu Feb 5 19:24:08 2015 -0600 Committer: shinrich <shinr...@yahoo-inc.com> Committed: Thu Feb 5 21:32:26 2015 -0600 ---------------------------------------------------------------------- iocore/net/SSLUtils.cc | 45 ++++++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fe69772/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 055d396..f0265c6 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -543,28 +543,34 @@ ssl_context_enable_tickets(SSL_CTX * ctx, const char * ticket_key_path) Error("failed to read SSL session ticket key from %s", (const char *)ticket_key_path); goto fail; } + } else { + // Generate a random ticket key + ticket_key_len = 48; + ticket_key_data = (char *)ats_malloc(ticket_key_len); + char *tmp_ptr = ticket_key_data; + RAND_bytes(reinterpret_cast<unsigned char *>(tmp_ptr), ticket_key_len); + } - num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t); - if (num_ticket_keys == 0) { - Error("SSL session ticket key from %s is too short (>= 48 bytes are required)", (const char *)ticket_key_path); - goto fail; - } + num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t); + if (num_ticket_keys == 0) { + Error("SSL session ticket key from %s is too short (>= 48 bytes are required)", (const char *)ticket_key_path); + goto fail; + } - // Increase the stats. - if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run. - SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat); - } + // Increase the stats. + if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run. + SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat); + } - keyblock = ticket_block_alloc(num_ticket_keys); + keyblock = ticket_block_alloc(num_ticket_keys); - // Slurp all the keys in the ticket key file. We will encrypt with the first key, and decrypt - // with any key (for rotation purposes). - for (unsigned i = 0; i < num_ticket_keys; ++i) { - const char * data = (const char *)ticket_key_data + (i * sizeof(ssl_ticket_key_t)); - memcpy(keyblock->keys[i].key_name, data, sizeof(ssl_ticket_key_t::key_name)); - memcpy(keyblock->keys[i].hmac_secret, data + sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret)); - memcpy(keyblock->keys[i].aes_key, data + sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), sizeof(ssl_ticket_key_t::aes_key)); - } + // Slurp all the keys in the ticket key file. We will encrypt with the first key, and decrypt + // with any key (for rotation purposes). + for (unsigned i = 0; i < num_ticket_keys; ++i) { + const char * data = (const char *)ticket_key_data + (i * sizeof(ssl_ticket_key_t)); + memcpy(keyblock->keys[i].key_name, data, sizeof(ssl_ticket_key_t::key_name)); + memcpy(keyblock->keys[i].hmac_secret, data + sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret)); + memcpy(keyblock->keys[i].aes_key, data + sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), sizeof(ssl_ticket_key_t::aes_key)); } // Setting the callback can only fail if OpenSSL does not recognize the @@ -1771,10 +1777,11 @@ ssl_store_ssl_context( if (SSLConfigParams::init_ssl_ctx_cb) { SSLConfigParams::init_ssl_ctx_cb(ctx, true); } +#if HAVE_OPENSSL_SESSION_TICKETS if (!inserted && keyblock != NULL) { ticket_block_free(keyblock); } - +#endif return ctx; }