Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl.c @ 6686:f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
No functional changes.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 12 Sep 2016 18:57:42 +0300 |
parents | 3eb1a92a2f05 |
children | dfa626cdde6b |
comparison
equal
deleted
inserted
replaced
6685:4a16fceea03b | 6686:f28e74f02c88 |
---|---|
2939 | 2939 |
2940 return NGX_ERROR; | 2940 return NGX_ERROR; |
2941 } | 2941 } |
2942 | 2942 |
2943 | 2943 |
2944 #ifdef OPENSSL_NO_SHA256 | |
2945 #define ngx_ssl_session_ticket_md EVP_sha1 | |
2946 #else | |
2947 #define ngx_ssl_session_ticket_md EVP_sha256 | |
2948 #endif | |
2949 | |
2950 | |
2951 static int | 2944 static int |
2952 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, | 2945 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
2953 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, | 2946 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
2954 HMAC_CTX *hctx, int enc) | 2947 HMAC_CTX *hctx, int enc) |
2955 { | 2948 { |
2956 SSL_CTX *ssl_ctx; | 2949 SSL_CTX *ssl_ctx; |
2957 ngx_uint_t i; | 2950 ngx_uint_t i; |
2958 ngx_array_t *keys; | 2951 ngx_array_t *keys; |
2959 ngx_connection_t *c; | 2952 ngx_connection_t *c; |
2960 ngx_ssl_session_ticket_key_t *key; | 2953 ngx_ssl_session_ticket_key_t *key; |
2954 const EVP_MD *digest; | |
2955 const EVP_CIPHER *cipher; | |
2961 #if (NGX_DEBUG) | 2956 #if (NGX_DEBUG) |
2962 u_char buf[32]; | 2957 u_char buf[32]; |
2963 #endif | 2958 #endif |
2964 | 2959 |
2965 c = ngx_ssl_get_connection(ssl_conn); | 2960 c = ngx_ssl_get_connection(ssl_conn); |
2966 ssl_ctx = c->ssl->session_ctx; | 2961 ssl_ctx = c->ssl->session_ctx; |
2962 | |
2963 cipher = EVP_aes_128_cbc(); | |
2964 #ifdef OPENSSL_NO_SHA256 | |
2965 digest = EVP_sha1(); | |
2966 #else | |
2967 digest = EVP_sha256(); | |
2968 #endif | |
2967 | 2969 |
2968 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); | 2970 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); |
2969 if (keys == NULL) { | 2971 if (keys == NULL) { |
2970 return -1; | 2972 return -1; |
2971 } | 2973 } |
2978 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | 2980 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
2979 "ssl session ticket encrypt, key: \"%*s\" (%s session)", | 2981 "ssl session ticket encrypt, key: \"%*s\" (%s session)", |
2980 ngx_hex_dump(buf, key[0].name, 16) - buf, buf, | 2982 ngx_hex_dump(buf, key[0].name, 16) - buf, buf, |
2981 SSL_session_reused(ssl_conn) ? "reused" : "new"); | 2983 SSL_session_reused(ssl_conn) ? "reused" : "new"); |
2982 | 2984 |
2983 RAND_bytes(iv, 16); | 2985 RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)); |
2984 EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[0].aes_key, iv); | 2986 EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv); |
2985 HMAC_Init_ex(hctx, key[0].hmac_key, 16, | 2987 HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL); |
2986 ngx_ssl_session_ticket_md(), NULL); | |
2987 ngx_memcpy(name, key[0].name, 16); | 2988 ngx_memcpy(name, key[0].name, 16); |
2988 | 2989 |
2989 return 1; | 2990 return 1; |
2990 | 2991 |
2991 } else { | 2992 } else { |
3008 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | 3009 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3009 "ssl session ticket decrypt, key: \"%*s\"%s", | 3010 "ssl session ticket decrypt, key: \"%*s\"%s", |
3010 ngx_hex_dump(buf, key[i].name, 16) - buf, buf, | 3011 ngx_hex_dump(buf, key[i].name, 16) - buf, buf, |
3011 (i == 0) ? " (default)" : ""); | 3012 (i == 0) ? " (default)" : ""); |
3012 | 3013 |
3013 HMAC_Init_ex(hctx, key[i].hmac_key, 16, | 3014 HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL); |
3014 ngx_ssl_session_ticket_md(), NULL); | 3015 EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv); |
3015 EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[i].aes_key, iv); | |
3016 | 3016 |
3017 return (i == 0) ? 1 : 2 /* renew */; | 3017 return (i == 0) ? 1 : 2 /* renew */; |
3018 } | 3018 } |
3019 } | 3019 } |
3020 | 3020 |