Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: improved session ticket callback error handling.

Previous Message Next Message
Forum List Message List New Topic Print View
Sergey Kandaurov
September 12, 2016 12:06PM
details: http://hg.nginx.org/nginx/rev/dfa626cdde6b
branches:
changeset: 6687:dfa626cdde6b
user: Sergey Kandaurov <pluknet@nginx.com>
date: Mon Sep 12 18:57:42 2016 +0300
description:
SSL: improved session ticket callback error handling.

Prodded by Guido Vranken.

diffstat:

src/event/ngx_event_openssl.c | 35 ++++++++++++++++++++++++++++++++---
1 files changed, 32 insertions(+), 3 deletions(-)

diffs (54 lines):

diff -r f28e74f02c88 -r dfa626cdde6b src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Sep 12 18:57:42 2016 +0300
+++ b/src/event/ngx_event_openssl.c Mon Sep 12 18:57:42 2016 +0300
@@ -2982,9 +2982,26 @@ ngx_ssl_session_ticket_key_callback(ngx_
ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
SSL_session_reused(ssl_conn) ? "reused" : "new");

- RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
- EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv);
+ if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
+ ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed");
+ return -1;
+ }
+
+ if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) {
+ ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
+ "EVP_EncryptInit_ex() failed");
+ return -1;
+ }
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if (HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL) != 1) {
+ ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
+ return -1;
+ }
+#else
HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL);
+#endif
+
ngx_memcpy(name, key[0].name, 16);

return 1;
@@ -3011,8 +3028,20 @@ ngx_ssl_session_ticket_key_callback(ngx_
ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
(i == 0) ? " (default)" : "");

+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if (HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL) != 1) {
+ ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
+ return -1;
+ }
+#else
HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL);
- EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv);
+#endif
+
+ if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) {
+ ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
+ "EVP_DecryptInit_ex() failed");
+ return -1;
+ }

return (i == 0) ? 1 : 2 /* renew */;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[nginx] SSL: improved session ticket callback error handling.

Sergey Kandaurov 328 September 12, 2016 12:06PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 199
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready