> On Feb 5, 2015, at 7:32 PM, shinr...@apache.org wrote:
>
> Repository: trafficserver
> Updated Branches:
> refs/heads/master 1d617582b -> 5fe69772a
>
>
> TS-2480: Fix to work in the case where there are no ticket key files but
> tickets have not been disabled.
Doesn't OpenSSL do this implicitly? Or is the problem that we end up setting
the callback without having a keyblock?
> Also fix RHEL 5 compile error.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
> Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5fe69772
> Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5fe69772
> Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5fe69772
>
> Branch: refs/heads/master
> Commit: 5fe69772aa7e5e841349f3426a997930b44c0ff5
> Parents: 1d61758
> Author: shinrich
> Authored: Thu Feb 5 19:24:08 2015 -0600
> Committer: shinrich
> Committed: Thu Feb 5 21:32:26 2015 -0600
>
> --
> iocore/net/SSLUtils.cc | 45 ++---
> 1 file changed, 26 insertions(+), 19 deletions(-)
> --
>
>
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fe69772/iocore/net/SSLUtils.cc
> --
> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index 055d396..f0265c6 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -543,28 +543,34 @@ ssl_context_enable_tickets(SSL_CTX * ctx, const char *
> ticket_key_path)
> Error("failed to read SSL session ticket key from %s", (const char
> *)ticket_key_path);
> goto fail;
> }
> + } else {
> + // Generate a random ticket key
> + ticket_key_len = 48;
> + ticket_key_data = (char *)ats_malloc(ticket_key_len);
> + char *tmp_ptr = ticket_key_data;
> + RAND_bytes(reinterpret_cast(tmp_ptr), ticket_key_len);
> + }
>
> -num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t);
> -if (num_ticket_keys == 0) {
> - Error("SSL session ticket key from %s is too short (>= 48 bytes are
> required)", (const char *)ticket_key_path);
> - goto fail;
> -}
> + num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t);
> + if (num_ticket_keys == 0) {
> +Error("SSL session ticket key from %s is too short (>= 48 bytes are
> required)", (const char *)ticket_key_path);
> +goto fail;
> + }
>
> -// Increase the stats.
> -if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first
> run.
> - SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat);
> -}
> + // Increase the stats.
> + if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run.
> +SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat);
> + }
>
> -keyblock = ticket_block_alloc(num_ticket_keys);
> + keyblock = ticket_block_alloc(num_ticket_keys);
>
> -// Slurp all the keys in the ticket key file. We will encrypt with the
> first key, and decrypt
> -// with any key (for rotation purposes).
> -for (unsigned i = 0; i < num_ticket_keys; ++i) {
> - const char * data = (const char *)ticket_key_data + (i *
> sizeof(ssl_ticket_key_t));
> - memcpy(keyblock->keys[i].key_name, data,
> sizeof(ssl_ticket_key_t::key_name));
> - memcpy(keyblock->keys[i].hmac_secret, data +
> sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret));
> - memcpy(keyblock->keys[i].aes_key, data +
> sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret),
> sizeof(ssl_ticket_key_t::aes_key));
> -}
> + // Slurp all the keys in the ticket key file. We will encrypt with the
> first key, and decrypt
> + // with any key (for rotation purposes).
> + for (unsigned i = 0; i < num_ticket_keys; ++i) {
> +const char * data = (const char *)ticket_key_data + (i *
> sizeof(ssl_ticket_key_t));
> +memcpy(keyblock->keys[i].key_name, data,
> sizeof(ssl_ticket_key_t::key_name));
> +memcpy(keyblock->keys[i].hmac_secret, data +
> sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret));
> +memcpy(keyblock->keys[i].aes_key, data +
> sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret),
> sizeof(ssl_ticket_key_t::aes_key));
> }
>
> // Setting the callback can only fail if OpenSSL does not recognize the
> @@ -1771,10 +1777,11 @@ ssl_store_ssl_context(
> if (SSLConfigParams::init_ssl_ctx_cb) {
> SSLConfigParams::init_ssl_ctx_cb(ctx, true);
> }
> +#if HAVE_OPENSSL_SESSION_TICKETS
> if (!inserted && keyblock != NULL) {
> ticket_block_free(keyblock);
> }
> -
> +#endif
> return ctx;
> }
>
>