summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorreyk <>2015-01-16 14:34:51 +0000
committerreyk <>2015-01-16 14:34:51 +0000
commitd23934efb8e7adaa63d4eb5752505a40e4b1f285 (patch)
tree607f55954a1c15abe402a97dd1b33b39adabb462
parente3fcff5ced4363c063140fcf09c8b274f8a77bdc (diff)
downloadopenbsd-d23934efb8e7adaa63d4eb5752505a40e4b1f285.tar.gz
openbsd-d23934efb8e7adaa63d4eb5752505a40e4b1f285.tar.bz2
openbsd-d23934efb8e7adaa63d4eb5752505a40e4b1f285.zip
The SSL/TLS session Id context is limited to 32 bytes. Instead of
using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
Diffstat
-rw-r--r--src/lib/libtls/tls_server.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 001f19ded4..514148bd93 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_server.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ 1/* $OpenBSD: tls_server.c,v 1.2 2015/01/16 14:34:51 reyk Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -51,6 +51,7 @@ int
51tls_configure_server(struct tls *ctx) 51tls_configure_server(struct tls *ctx)
52{ 52{
53 EC_KEY *ecdh_key; 53 EC_KEY *ecdh_key;
54 unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH];
54 55
55 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 56 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
56 tls_set_error(ctx, "ssl context failure"); 57 tls_set_error(ctx, "ssl context failure");
@@ -75,6 +76,17 @@ tls_configure_server(struct tls *ctx)
75 EC_KEY_free(ecdh_key); 76 EC_KEY_free(ecdh_key);
76 } 77 }
77 78
79 /*
80 * Set session ID context to a random value. We don't support
81 * persistent caching of sessions so it is OK to set a temporary
82 * session ID context that is valid during run time.
83 */
84 arc4random_buf(sid, sizeof(sid));
85 if (!SSL_CTX_set_session_id_context(ctx->ssl_ctx, sid, sizeof(sid))) {
86 tls_set_error(ctx, "failed to set session id context");
87 goto err;
88 }
89
78 return (0); 90 return (0);
79 91
80err: 92err:
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 09:01:08 +0000