TS-1146: additional autoconf tests to support older OpenSSL
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/358e9260 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/358e9260 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/358e9260 Branch: refs/heads/5.0.x Commit: 358e92603dd0527122d3142f0a74a9d7280e595f Parents: 6dabbd7 Author: James Peach <jpe...@apache.org> Authored: Fri Dec 6 15:26:22 2013 -0800 Committer: James Peach <jpe...@apache.org> Committed: Fri Dec 6 15:27:31 2013 -0800 ---------------------------------------------------------------------- build/crypto.m4 | 35 +++++++++++++++++++++++++++++++++++ configure.ac | 4 ++++ iocore/net/SSLUtils.cc | 24 ++++++++++++++++++++++-- lib/ts/ink_config.h.in | 1 + 4 files changed, 62 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/build/crypto.m4 ---------------------------------------------------------------------- diff --git a/build/crypto.m4 b/build/crypto.m4 index 998e147..0b8db8f 100644 --- a/build/crypto.m4 +++ b/build/crypto.m4 @@ -139,6 +139,41 @@ AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [ AC_SUBST(use_tls_npn) ]) +AC_DEFUN([TS_CHECK_CRYPTO_TICKETS], [ + _tickets_saved_LIBS=$LIBS + enable_tls_tickets=yes + + TS_ADDTO(LIBS, [$LIBSSL]) + AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h openssl/hmac.h openssl/evp.h) + AC_MSG_CHECKING([for SSL_CTX_set_tlsext_ticket_key_cb]) + AC_COMPILE_IFELSE( + [ + AC_LANG_PROGRAM([[ +#if HAVE_OPENSSL_SSL_H +#include <openssl/ssl.h> +#endif +#if HAVE_OPENSSL_TLS1_H +#include <openssl/tls1.h> +#endif + ]], + [[SSL_CTX_set_tlsext_ticket_key_cb(NULL, NULL);]]) + ], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + enable_tls_tickets=no + ]) + + LIBS=$_tickets_saved_LIBS + + AC_MSG_CHECKING(whether to enable TLS session ticket support) + AC_MSG_RESULT([$enable_tls_tickets]) + TS_ARG_ENABLE_VAR([use], [tls-tickets]) + AC_SUBST(use_tls_tickets) +]) + AC_DEFUN([TS_CHECK_CRYPTO_SNI], [ _sni_saved_LIBS=$LIBS enable_tls_sni=yes http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/configure.ac ---------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index dde8c40..c06c173 100644 --- a/configure.ac +++ b/configure.ac @@ -1131,6 +1131,10 @@ TS_CHECK_CRYPTO_EC_KEYS TS_CHECK_CRYPTO_SNI # +# Check for RFC5077 TLS session ticket support. +TS_CHECK_CRYPTO_TICKETS + +# # Check for zlib presence and usability TS_CHECK_ZLIB http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index ce1d383..f7b5f4b 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -30,7 +30,14 @@ #include <openssl/x509.h> #include <openssl/asn1.h> #include <openssl/rand.h> + +#if HAVE_OPENSSL_EVP_H #include <openssl/evp.h> +#endif + +#if HAVE_OPENSSL_HMAC_H +#include <openssl/hmac.h> +#endif #if HAVE_OPENSSL_TS_H #include <openssl/ts.h> @@ -62,6 +69,7 @@ typedef const SSL_METHOD * ink_ssl_method_t; typedef SSL_METHOD * ink_ssl_method_t; #endif +#if TS_USE_TLS_TICKETS struct ssl_ticket_key_t { unsigned char key_name[16]; @@ -69,10 +77,12 @@ struct ssl_ticket_key_t unsigned char aes_key[16]; }; -static ProxyMutex ** sslMutexArray; -static bool open_ssl_initialized = false; static int ssl_callback_session_ticket(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int); static int ssl_session_ticket_index = 0; +#endif /* TS_USE_TLS_TICKETS */ + +static ProxyMutex ** sslMutexArray; +static bool open_ssl_initialized = false; struct ats_file_bio { @@ -232,6 +242,7 @@ ssl_context_enable_ecdh(SSL_CTX * ctx) static SSL_CTX * ssl_context_enable_tickets(SSL_CTX * ctx, const char * ticket_key_path) { +#if TS_USE_TLS_TICKETS xptr<char> ticket_key_data; int ticket_key_len; ssl_ticket_key_t * ticket_key = NULL; @@ -271,6 +282,11 @@ ssl_context_enable_tickets(SSL_CTX * ctx, const char * ticket_key_path) fail: delete ticket_key; return ctx; + +#else /* TS_USE_TLS_TICKETS */ + (void)ticket_key_path; + return ctx; +#endif /* TS_USE_TLS_TICKETS */ } void @@ -684,11 +700,13 @@ ssl_store_ssl_context( } } +#if defined(SSL_OP_NO_TICKET) // Session tickets are enabled by default. Disable if explicitly requested. if (session_ticket_enabled == 0) { SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); Debug("ssl", "ssl session ticket is disabled"); } +#endif // Load the session ticket key if session tickets are not disabled and we have key name. if (session_ticket_enabled != 0 && ticket_key_filename) { @@ -841,6 +859,7 @@ SSLParseCertificateConfiguration( return true; } +#if TS_USE_TLS_TICKETS /* * RFC 5077. Create session ticket to resume SSL session without requiring session-specific state at the TLS server. * Specifically, it distributes the encrypted session-state information to the client in the form of a ticket and @@ -885,6 +904,7 @@ ssl_callback_session_ticket( return -1; } +#endif /* TS_USE_TLS_TICKETS */ void SSLReleaseContext(SSL_CTX * ctx) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/358e9260/lib/ts/ink_config.h.in ---------------------------------------------------------------------- diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in index 0b69098..026e431 100644 --- a/lib/ts/ink_config.h.in +++ b/lib/ts/ink_config.h.in @@ -68,6 +68,7 @@ #define TS_USE_TLS_NPN @use_tls_npn@ #define TS_USE_TLS_SNI @use_tls_sni@ #define TS_USE_TLS_ECKEY @use_tls_eckey@ +#define TS_USE_TLS_TICKETS @use_tls_tickets@ #define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@ #define TS_USE_COP_DEBUG @use_cop_debug@ #define TS_USE_INTERIM_CACHE @has_interim_cache@