details: http://hg.nginx.org/nginx/rev/dfa626cdde6b branches: changeset: 6687:dfa626cdde6b user: Sergey Kandaurov <pluk...@nginx.com> date: Mon Sep 12 18:57:42 2016 +0300 description: SSL: improved session ticket callback error handling.
Prodded by Guido Vranken. diffstat: src/event/ngx_event_openssl.c | 35 ++++++++++++++++++++++++++++++++--- 1 files changed, 32 insertions(+), 3 deletions(-) diffs (54 lines): diff -r f28e74f02c88 -r dfa626cdde6b src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Mon Sep 12 18:57:42 2016 +0300 +++ b/src/event/ngx_event_openssl.c Mon Sep 12 18:57:42 2016 +0300 @@ -2982,9 +2982,26 @@ ngx_ssl_session_ticket_key_callback(ngx_ ngx_hex_dump(buf, key[0].name, 16) - buf, buf, SSL_session_reused(ssl_conn) ? "reused" : "new"); - RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)); - EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv); + if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); + return -1; + } + + if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, + "EVP_EncryptInit_ex() failed"); + return -1; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + if (HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; + } +#else HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL); +#endif + ngx_memcpy(name, key[0].name, 16); return 1; @@ -3011,8 +3028,20 @@ ngx_ssl_session_ticket_key_callback(ngx_ ngx_hex_dump(buf, key[i].name, 16) - buf, buf, (i == 0) ? " (default)" : ""); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + if (HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; + } +#else HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL); - EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv); +#endif + + if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, + "EVP_DecryptInit_ex() failed"); + return -1; + } return (i == 0) ? 1 : 2 /* renew */; } _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel