You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2013/12/14 22:51:26 UTC
[17/50] git commit: TS-1146: additional autoconf tests to support
older OpenSSL
TS-1146: additional autoconf tests to support older OpenSSL
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/358e9260
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/358e9260
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/358e9260
Branch: refs/heads/5.0.x
Commit: 358e92603dd0527122d3142f0a74a9d7280e595f
Parents: 6dabbd7
Author: James Peach <jp...@apache.org>
Authored: Fri Dec 6 15:26:22 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Fri Dec 6 15:27:31 2013 -0800
----------------------------------------------------------------------
build/crypto.m4 | 35 +++++++++++++++++++++++++++++++++++
configure.ac | 4 ++++
iocore/net/SSLUtils.cc | 24 ++++++++++++++++++++++--
lib/ts/ink_config.h.in | 1 +
4 files changed, 62 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/build/crypto.m4
----------------------------------------------------------------------
diff --git a/build/crypto.m4 b/build/crypto.m4
index 998e147..0b8db8f 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -139,6 +139,41 @@ AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
AC_SUBST(use_tls_npn)
])
+AC_DEFUN([TS_CHECK_CRYPTO_TICKETS], [
+ _tickets_saved_LIBS=$LIBS
+ enable_tls_tickets=yes
+
+ TS_ADDTO(LIBS, [$LIBSSL])
+ AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h openssl/hmac.h openssl/evp.h)
+ AC_MSG_CHECKING([for SSL_CTX_set_tlsext_ticket_key_cb])
+ AC_COMPILE_IFELSE(
+ [
+ AC_LANG_PROGRAM([[
+#if HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#if HAVE_OPENSSL_TLS1_H
+#include <openssl/tls1.h>
+#endif
+ ]],
+ [[SSL_CTX_set_tlsext_ticket_key_cb(NULL, NULL);]])
+ ],
+ [
+ AC_MSG_RESULT([yes])
+ ],
+ [
+ AC_MSG_RESULT([no])
+ enable_tls_tickets=no
+ ])
+
+ LIBS=$_tickets_saved_LIBS
+
+ AC_MSG_CHECKING(whether to enable TLS session ticket support)
+ AC_MSG_RESULT([$enable_tls_tickets])
+ TS_ARG_ENABLE_VAR([use], [tls-tickets])
+ AC_SUBST(use_tls_tickets)
+])
+
AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
_sni_saved_LIBS=$LIBS
enable_tls_sni=yes
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index dde8c40..c06c173 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1131,6 +1131,10 @@ TS_CHECK_CRYPTO_EC_KEYS
TS_CHECK_CRYPTO_SNI
#
+# Check for RFC5077 TLS session ticket support.
+TS_CHECK_CRYPTO_TICKETS
+
+#
# Check for zlib presence and usability
TS_CHECK_ZLIB
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index ce1d383..f7b5f4b 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -30,7 +30,14 @@
#include <openssl/x509.h>
#include <openssl/asn1.h>
#include <openssl/rand.h>
+
+#if HAVE_OPENSSL_EVP_H
#include <openssl/evp.h>
+#endif
+
+#if HAVE_OPENSSL_HMAC_H
+#include <openssl/hmac.h>
+#endif
#if HAVE_OPENSSL_TS_H
#include <openssl/ts.h>
@@ -62,6 +69,7 @@ typedef const SSL_METHOD * ink_ssl_method_t;
typedef SSL_METHOD * ink_ssl_method_t;
#endif
+#if TS_USE_TLS_TICKETS
struct ssl_ticket_key_t
{
unsigned char key_name[16];
@@ -69,10 +77,12 @@ struct ssl_ticket_key_t
unsigned char aes_key[16];
};
-static ProxyMutex ** sslMutexArray;
-static bool open_ssl_initialized = false;
static int ssl_callback_session_ticket(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int);
static int ssl_session_ticket_index = 0;
+#endif /* TS_USE_TLS_TICKETS */
+
+static ProxyMutex ** sslMutexArray;
+static bool open_ssl_initialized = false;
struct ats_file_bio
{
@@ -232,6 +242,7 @@ ssl_context_enable_ecdh(SSL_CTX * ctx)
static SSL_CTX *
ssl_context_enable_tickets(SSL_CTX * ctx, const char * ticket_key_path)
{
+#if TS_USE_TLS_TICKETS
xptr<char> ticket_key_data;
int ticket_key_len;
ssl_ticket_key_t * ticket_key = NULL;
@@ -271,6 +282,11 @@ ssl_context_enable_tickets(SSL_CTX * ctx, const char * ticket_key_path)
fail:
delete ticket_key;
return ctx;
+
+#else /* TS_USE_TLS_TICKETS */
+ (void)ticket_key_path;
+ return ctx;
+#endif /* TS_USE_TLS_TICKETS */
}
void
@@ -684,11 +700,13 @@ ssl_store_ssl_context(
}
}
+#if defined(SSL_OP_NO_TICKET)
// Session tickets are enabled by default. Disable if explicitly requested.
if (session_ticket_enabled == 0) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
Debug("ssl", "ssl session ticket is disabled");
}
+#endif
// Load the session ticket key if session tickets are not disabled and we have key name.
if (session_ticket_enabled != 0 && ticket_key_filename) {
@@ -841,6 +859,7 @@ SSLParseCertificateConfiguration(
return true;
}
+#if TS_USE_TLS_TICKETS
/*
* RFC 5077. Create session ticket to resume SSL session without requiring session-specific state at the TLS server.
* Specifically, it distributes the encrypted session-state information to the client in the form of a ticket and
@@ -885,6 +904,7 @@ ssl_callback_session_ticket(
return -1;
}
+#endif /* TS_USE_TLS_TICKETS */
void
SSLReleaseContext(SSL_CTX * ctx)
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/lib/ts/ink_config.h.in
----------------------------------------------------------------------
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 0b69098..026e431 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -68,6 +68,7 @@
#define TS_USE_TLS_NPN @use_tls_npn@
#define TS_USE_TLS_SNI @use_tls_sni@
#define TS_USE_TLS_ECKEY @use_tls_eckey@
+#define TS_USE_TLS_TICKETS @use_tls_tickets@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_COP_DEBUG @use_cop_debug@
#define TS_USE_INTERIM_CACHE @has_interim_cache@