technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

TLS: refactored nxt_tls_ticket_key_callback().

Browse Source 
Deduplicated code and improved style.
No functional changes.
This commit is contained in:
Valentin Bartenev
2021-08-25 10:33:32 +03:00
parent f50b07c21d
commit dbc5a742fd
2 changed files with 54 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
src/nxt_openssl.c
View File

@@ -28,6 +28,20 @@ typedef struct {
} nxt_openssl_conn_t;
struct nxt_tls_ticket_s {
u_char name[16];
u_char hmac_key[32];
u_char aes_key[32];
uint8_t size;
};
struct nxt_tls_tickets_s {
nxt_uint_t count;
nxt_tls_ticket_t tickets[];
};
typedef enum {
NXT_OPENSSL_HANDSHAKE = 0,
NXT_OPENSSL_READ,
@@ -677,18 +691,19 @@ nxt_tls_ticket_keys(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_init_t *tls_init,
return NXT_ERROR;
}
nxt_memcpy(ticket->name, buf, 16);
if (ret == 48) {
ticket->aes128 = 1;
nxt_memcpy(ticket->aes_key, buf + 16, 16);
nxt_memcpy(ticket->hmac_key, buf + 32, 16);
ticket->size = 16;
} else {
ticket->aes128 = 0;
nxt_memcpy(ticket->hmac_key, buf + 16, 32);
nxt_memcpy(ticket->aes_key, buf + 48, 32);
ticket->size = 32;
}
nxt_memcpy(ticket->name, buf, 16);
} while (i < count);
if (SSL_CTX_set_tlsext_ticket_key_cb(ctx, nxt_tls_ticket_key_callback)
@@ -727,7 +742,6 @@ static int
nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
{
size_t size;
nxt_uint_t i;
nxt_conn_t *c;
const EVP_MD *digest;
@@ -745,25 +759,14 @@ nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
tls = c->u.tls;
ticket = tls->conf->tickets->tickets;
#ifdef OPENSSL_NO_SHA256
digest = EVP_sha1();
#else
digest = EVP_sha256();
#endif
i = 0;
if (enc == 1) {
/* encrypt session ticket */
nxt_debug(c->socket.task, "TLS session ticket encrypt");
if (ticket[0].aes128 == 1) {
cipher = EVP_aes_128_cbc();
size = 16;
} else {
cipher = EVP_aes_256_cbc();
size = 32;
}
cipher = (ticket[0].size == 16) ? EVP_aes_128_cbc() : EVP_aes_256_cbc();
if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
@@ -771,32 +774,17 @@ nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
return -1;
}
if (EVP_EncryptInit_ex(ectx, cipher, NULL, ticket[0].aes_key, iv)
!= 1)
{
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"EVP_EncryptInit_ex() failed");
return -1;
}
if (HMAC_Init_ex(hctx, ticket[0].hmac_key, size, digest, NULL) != 1) {
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"HMAC_Init_ex() failed");
return -1;
}
nxt_memcpy(name, ticket[0].name, 16);
return 1;
} else {
/* decrypt session ticket */
for (i = 0; i < tls->conf->tickets->count; i++) {
do {
if (nxt_memcmp(name, ticket[i].name, 16) == 0) {
goto found;
}
}
} while (++i < tls->conf->tickets->count);
nxt_debug(c->socket.task, "TLS session ticket decrypt, key not found");
@@ -807,13 +795,9 @@ nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
nxt_debug(c->socket.task,
"TLS session ticket decrypt, key number: \"%d\"", i);
if (ticket[i].aes128 == 1) {
cipher = EVP_aes_128_cbc();
size = 16;
enc = (i == 0) ? 1 : 2 /* renew */;
} else {
cipher = EVP_aes_256_cbc();
size = 32;
cipher = (ticket[i].size == 16) ? EVP_aes_128_cbc() : EVP_aes_256_cbc();
}
if (EVP_DecryptInit_ex(ectx, cipher, NULL, ticket[i].aes_key, iv) != 1) {
@@ -822,14 +806,21 @@ nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
return -1;
}
if (HMAC_Init_ex(hctx, ticket[i].hmac_key, size, digest, NULL) != 1) {
#ifdef OPENSSL_NO_SHA256
digest = EVP_sha1();
#else
digest = EVP_sha256();
#endif
if (HMAC_Init_ex(hctx, ticket[i].hmac_key, ticket[i].size, digest, NULL)
!= 1)
{
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"HMAC_Init_ex() failed");
return -1;
}
return (i == 0) ? 1 : 2 /* renew */;
}
return enc;
}
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */

14
src/nxt_tls.h
View File

@@ -92,20 +92,6 @@ struct nxt_tls_init_s {
};
struct nxt_tls_ticket_s {
uint8_t aes128;
u_char name[16];
u_char hmac_key[32];
u_char aes_key[32];
};
struct nxt_tls_tickets_s {
nxt_uint_t count;
nxt_tls_ticket_t tickets[];
};
#if (NXT_HAVE_OPENSSL)
extern const nxt_tls_lib_t nxt_openssl_lib;