trafficserver git commit: TS-2480: Fix to work in the case where there are no ticket key files but tickets have not been disabled. Also fix RHEL 5 compile error.
Repository: trafficserver Updated Branches: refs/heads/master 1d617582b - 5fe69772a TS-2480: Fix to work in the case where there are no ticket key files but tickets have not been disabled. Also fix RHEL 5 compile error. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5fe69772 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5fe69772 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5fe69772 Branch: refs/heads/master Commit: 5fe69772aa7e5e841349f3426a997930b44c0ff5 Parents: 1d61758 Author: shinrich shinr...@yahoo-inc.com Authored: Thu Feb 5 19:24:08 2015 -0600 Committer: shinrich shinr...@yahoo-inc.com Committed: Thu Feb 5 21:32:26 2015 -0600 -- iocore/net/SSLUtils.cc | 45 ++--- 1 file changed, 26 insertions(+), 19 deletions(-) -- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fe69772/iocore/net/SSLUtils.cc -- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 055d396..f0265c6 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -543,28 +543,34 @@ ssl_context_enable_tickets(SSL_CTX * ctx, const char * ticket_key_path) Error(failed to read SSL session ticket key from %s, (const char *)ticket_key_path); goto fail; } + } else { + // Generate a random ticket key + ticket_key_len = 48; + ticket_key_data = (char *)ats_malloc(ticket_key_len); + char *tmp_ptr = ticket_key_data; + RAND_bytes(reinterpret_castunsigned char *(tmp_ptr), ticket_key_len); + } -num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t); -if (num_ticket_keys == 0) { - Error(SSL session ticket key from %s is too short (= 48 bytes are required), (const char *)ticket_key_path); - goto fail; -} + num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t); + if (num_ticket_keys == 0) { +Error(SSL session ticket key from %s is too short (= 48 bytes are required), (const char *)ticket_key_path); +goto fail; + } -// Increase the stats. -if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run. - SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat); -} + // Increase the stats. + if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run. +SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat); + } -keyblock = ticket_block_alloc(num_ticket_keys); + keyblock = ticket_block_alloc(num_ticket_keys); -// Slurp all the keys in the ticket key file. We will encrypt with the first key, and decrypt -// with any key (for rotation purposes). -for (unsigned i = 0; i num_ticket_keys; ++i) { - const char * data = (const char *)ticket_key_data + (i * sizeof(ssl_ticket_key_t)); - memcpy(keyblock-keys[i].key_name, data, sizeof(ssl_ticket_key_t::key_name)); - memcpy(keyblock-keys[i].hmac_secret, data + sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret)); - memcpy(keyblock-keys[i].aes_key, data + sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), sizeof(ssl_ticket_key_t::aes_key)); -} + // Slurp all the keys in the ticket key file. We will encrypt with the first key, and decrypt + // with any key (for rotation purposes). + for (unsigned i = 0; i num_ticket_keys; ++i) { +const char * data = (const char *)ticket_key_data + (i * sizeof(ssl_ticket_key_t)); +memcpy(keyblock-keys[i].key_name, data, sizeof(ssl_ticket_key_t::key_name)); +memcpy(keyblock-keys[i].hmac_secret, data + sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret)); +memcpy(keyblock-keys[i].aes_key, data + sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), sizeof(ssl_ticket_key_t::aes_key)); } // Setting the callback can only fail if OpenSSL does not recognize the @@ -1771,10 +1777,11 @@ ssl_store_ssl_context( if (SSLConfigParams::init_ssl_ctx_cb) { SSLConfigParams::init_ssl_ctx_cb(ctx, true); } +#if HAVE_OPENSSL_SESSION_TICKETS if (!inserted keyblock != NULL) { ticket_block_free(keyblock); } - +#endif return ctx; }
Re: trafficserver git commit: TS-2480: Fix to work in the case where there are no ticket key files but tickets have not been disabled. Also fix RHEL 5 compile error.
On Feb 5, 2015, at 7:32 PM, shinr...@apache.org wrote: Repository: trafficserver Updated Branches: refs/heads/master 1d617582b - 5fe69772a TS-2480: Fix to work in the case where there are no ticket key files but tickets have not been disabled. Doesn't OpenSSL do this implicitly? Or is the problem that we end up setting the callback without having a keyblock? Also fix RHEL 5 compile error. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5fe69772 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5fe69772 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5fe69772 Branch: refs/heads/master Commit: 5fe69772aa7e5e841349f3426a997930b44c0ff5 Parents: 1d61758 Author: shinrich shinr...@yahoo-inc.com Authored: Thu Feb 5 19:24:08 2015 -0600 Committer: shinrich shinr...@yahoo-inc.com Committed: Thu Feb 5 21:32:26 2015 -0600 -- iocore/net/SSLUtils.cc | 45 ++--- 1 file changed, 26 insertions(+), 19 deletions(-) -- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5fe69772/iocore/net/SSLUtils.cc -- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 055d396..f0265c6 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -543,28 +543,34 @@ ssl_context_enable_tickets(SSL_CTX * ctx, const char * ticket_key_path) Error(failed to read SSL session ticket key from %s, (const char *)ticket_key_path); goto fail; } + } else { + // Generate a random ticket key + ticket_key_len = 48; + ticket_key_data = (char *)ats_malloc(ticket_key_len); + char *tmp_ptr = ticket_key_data; + RAND_bytes(reinterpret_castunsigned char *(tmp_ptr), ticket_key_len); + } -num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t); -if (num_ticket_keys == 0) { - Error(SSL session ticket key from %s is too short (= 48 bytes are required), (const char *)ticket_key_path); - goto fail; -} + num_ticket_keys = ticket_key_len / sizeof(ssl_ticket_key_t); + if (num_ticket_keys == 0) { +Error(SSL session ticket key from %s is too short (= 48 bytes are required), (const char *)ticket_key_path); +goto fail; + } -// Increase the stats. -if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run. - SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat); -} + // Increase the stats. + if (ssl_rsb != NULL) { // ssl_rsb is not initialized during the first run. +SSL_INCREMENT_DYN_STAT(ssl_total_ticket_keys_renewed_stat); + } -keyblock = ticket_block_alloc(num_ticket_keys); + keyblock = ticket_block_alloc(num_ticket_keys); -// Slurp all the keys in the ticket key file. We will encrypt with the first key, and decrypt -// with any key (for rotation purposes). -for (unsigned i = 0; i num_ticket_keys; ++i) { - const char * data = (const char *)ticket_key_data + (i * sizeof(ssl_ticket_key_t)); - memcpy(keyblock-keys[i].key_name, data, sizeof(ssl_ticket_key_t::key_name)); - memcpy(keyblock-keys[i].hmac_secret, data + sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret)); - memcpy(keyblock-keys[i].aes_key, data + sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), sizeof(ssl_ticket_key_t::aes_key)); -} + // Slurp all the keys in the ticket key file. We will encrypt with the first key, and decrypt + // with any key (for rotation purposes). + for (unsigned i = 0; i num_ticket_keys; ++i) { +const char * data = (const char *)ticket_key_data + (i * sizeof(ssl_ticket_key_t)); +memcpy(keyblock-keys[i].key_name, data, sizeof(ssl_ticket_key_t::key_name)); +memcpy(keyblock-keys[i].hmac_secret, data + sizeof(ssl_ticket_key_t::key_name), sizeof(ssl_ticket_key_t::hmac_secret)); +memcpy(keyblock-keys[i].aes_key, data + sizeof(ssl_ticket_key_t::key_name) + sizeof(ssl_ticket_key_t::hmac_secret), sizeof(ssl_ticket_key_t::aes_key)); } // Setting the callback can only fail if OpenSSL does not recognize the @@ -1771,10 +1777,11 @@ ssl_store_ssl_context( if (SSLConfigParams::init_ssl_ctx_cb) { SSLConfigParams::init_ssl_ctx_cb(ctx, true); } +#if HAVE_OPENSSL_SESSION_TICKETS if (!inserted keyblock != NULL) { ticket_block_free(keyblock); } - +#endif return ctx; }