Browse Source

[mod_openssl] migrate ticket cb to openssl 3.0.0

migrate ticket cb to openssl 3.0.0 interface
  SSL_CTX_set_tlsext_ticket_key_evp_cb()
master
Glenn Strauss 7 months ago
parent
commit
ebafd914e7
  1. 64
      src/mod_openssl.c

64
src/mod_openssl.c

@ -50,7 +50,6 @@
#endif
#include "sys-crypto.h"
#include "sys-crypto-md.h"
#ifdef BORINGSSL_API_VERSION
#undef OPENSSL_NO_STDIO /* for X509_STORE_load_locations() */
@ -85,6 +84,10 @@
#endif
#endif
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/core_names.h>
#endif
#include "base.h"
#include "fdevent.h"
#include "http_header.h"
@ -314,9 +317,11 @@ tlsext_ticket_wipe_expired (const time_t cur_ts)
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
/* based on reference implementation from openssl 1.1.1g man page
* man SSL_CTX_set_tlsext_ticket_key_cb
* but openssl code uses EVP_aes_256_cbc() instead of EVP_aes_128_cbc()
* but mod_openssl code uses EVP_aes_256_cbc() instead of EVP_aes_128_cbc()
*/
static int
ssl_tlsext_ticket_key_cb (SSL *s, unsigned char key_name[16],
@ -350,6 +355,56 @@ ssl_tlsext_ticket_key_cb (SSL *s, unsigned char key_name[16],
}
}
#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
/* based on reference implementation from openssl 3.0.0 man page
* man SSL_CTX_set_tlsext_ticket_key_cb
*/
static int
ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16],
unsigned char *iv, EVP_CIPHER_CTX *ctx,
EVP_MAC_CTX *hctx, int enc)
{
OSSL_PARAM params[3];
UNUSED(s);
if (enc) { /* create new session */
tlsext_ticket_key_t *k = tlsext_ticket_key_get();
if (NULL == k)
return 0; /* current key does not exist or is not valid */
memcpy(key_name, k->tick_key_name, 16);
if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
return -1; /* insufficient random */
EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, k->tick_aes_key, iv);
params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
k->tick_hmac_key,
sizeof(k->tick_hmac_key));
params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
CONST_STR_LEN("sha256")+1);
params[2] = OSSL_PARAM_construct_end();
EVP_MAC_CTX_set_params(hctx, params);
return 1;
}
else { /* retrieve session */
int refresh;
tlsext_ticket_key_t *k = tlsext_ticket_key_find(key_name, &refresh);
if (NULL == k)
return 0;
params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
k->tick_hmac_key,
sizeof(k->tick_hmac_key));
params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
CONST_STR_LEN("sha256")+1);
params[2] = OSSL_PARAM_construct_end();
EVP_MAC_CTX_set_params(hctx, params);
EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, k->tick_aes_key, iv);
return refresh ? 2 : 1;
/* 'refresh' will trigger issuing new ticket for session
* even though the current ticket is still valid */
}
}
#endif
static int
mod_openssl_session_ticket_key_file (const char *fn)
@ -2152,7 +2207,12 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
return -1;
#ifdef TLSEXT_TYPE_session_ticket
#if OPENSSL_VERSION_NUMBER < 0x30000000L
SSL_CTX_set_tlsext_ticket_key_cb(s->ssl_ctx, ssl_tlsext_ticket_key_cb);
#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
SSL_CTX_set_tlsext_ticket_key_evp_cb(s->ssl_ctx,
ssl_tlsext_ticket_key_cb);
#endif
#endif
#ifndef OPENSSL_NO_OCSP

Loading…
Cancel
Save