Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 6686:f28e74f02c88

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: factored out digest and cipher in session ticket callback. No functional changes.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 12 Sep 2016 18:57:42 +0300
parents 3eb1a92a2f05
children dfa626cdde6b
comparison
equal deleted inserted replaced
6685:4a16fceea03b 6686:f28e74f02c88
2939 2939
2940 return NGX_ERROR; 2940 return NGX_ERROR;
2941 } 2941 }
2942 2942
2943 2943
2944 #ifdef OPENSSL_NO_SHA256
2945 #define ngx_ssl_session_ticket_md EVP_sha1
2946 #else
2947 #define ngx_ssl_session_ticket_md EVP_sha256
2948 #endif
2949
2950
2951 static int 2944 static int
2952 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, 2945 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
2953 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, 2946 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
2954 HMAC_CTX *hctx, int enc) 2947 HMAC_CTX *hctx, int enc)
2955 { 2948 {
2956 SSL_CTX *ssl_ctx; 2949 SSL_CTX *ssl_ctx;
2957 ngx_uint_t i; 2950 ngx_uint_t i;
2958 ngx_array_t *keys; 2951 ngx_array_t *keys;
2959 ngx_connection_t *c; 2952 ngx_connection_t *c;
2960 ngx_ssl_session_ticket_key_t *key; 2953 ngx_ssl_session_ticket_key_t *key;
2954 const EVP_MD *digest;
2955 const EVP_CIPHER *cipher;
2961 #if (NGX_DEBUG) 2956 #if (NGX_DEBUG)
2962 u_char buf[32]; 2957 u_char buf[32];
2963 #endif 2958 #endif
2964 2959
2965 c = ngx_ssl_get_connection(ssl_conn); 2960 c = ngx_ssl_get_connection(ssl_conn);
2966 ssl_ctx = c->ssl->session_ctx; 2961 ssl_ctx = c->ssl->session_ctx;
2962
2963 cipher = EVP_aes_128_cbc();
2964 #ifdef OPENSSL_NO_SHA256
2965 digest = EVP_sha1();
2966 #else
2967 digest = EVP_sha256();
2968 #endif
2967 2969
2968 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); 2970 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
2969 if (keys == NULL) { 2971 if (keys == NULL) {
2970 return -1; 2972 return -1;
2971 } 2973 }
2978 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, 2980 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
2979 "ssl session ticket encrypt, key: \"%*s\" (%s session)", 2981 "ssl session ticket encrypt, key: \"%*s\" (%s session)",
2980 ngx_hex_dump(buf, key[0].name, 16) - buf, buf, 2982 ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
2981 SSL_session_reused(ssl_conn) ? "reused" : "new"); 2983 SSL_session_reused(ssl_conn) ? "reused" : "new");
2982 2984
2983 RAND_bytes(iv, 16); 2985 RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
2984 EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[0].aes_key, iv); 2986 EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv);
2985 HMAC_Init_ex(hctx, key[0].hmac_key, 16, 2987 HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL);
2986 ngx_ssl_session_ticket_md(), NULL);
2987 ngx_memcpy(name, key[0].name, 16); 2988 ngx_memcpy(name, key[0].name, 16);
2988 2989
2989 return 1; 2990 return 1;
2990 2991
2991 } else { 2992 } else {
3008 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, 3009 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
3009 "ssl session ticket decrypt, key: \"%*s\"%s", 3010 "ssl session ticket decrypt, key: \"%*s\"%s",
3010 ngx_hex_dump(buf, key[i].name, 16) - buf, buf, 3011 ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
3011 (i == 0) ? " (default)" : ""); 3012 (i == 0) ? " (default)" : "");
3012 3013
3013 HMAC_Init_ex(hctx, key[i].hmac_key, 16, 3014 HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL);
3014 ngx_ssl_session_ticket_md(), NULL); 3015 EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv);
3015 EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[i].aes_key, iv);
3016 3016
3017 return (i == 0) ? 1 : 2 /* renew */; 3017 return (i == 0) ? 1 : 2 /* renew */;
3018 } 3018 }
3019 } 3019 }
3020 3020