diff options
| author | jsing <> | 2018-08-27 16:42:48 +0000 | 
|---|---|---|
| committer | jsing <> | 2018-08-27 16:42:48 +0000 | 
| commit | 3214e561f5d16cffff1ac02e8f9fcf7cd78bafc8 (patch) | |
| tree | 71671a4717389a51b5152df1689cea13e657f8ca /src/lib/libssl/ssl_asn1.c | |
| parent | 26a03876b975111cf08bf5fdfe07c4c8c404abaa (diff) | |
| download | openbsd-3214e561f5d16cffff1ac02e8f9fcf7cd78bafc8.tar.gz openbsd-3214e561f5d16cffff1ac02e8f9fcf7cd78bafc8.tar.bz2 openbsd-3214e561f5d16cffff1ac02e8f9fcf7cd78bafc8.zip | |
Simplify new session ticket encoding/generation.
The original code did a crazy encode/malloc/encode/decode/modify/encode
dance, in order to encode a session in the form needed to encrypt then add
to a session ticket. By modifying the encoding functions slightly, we can
do this entire dance as a single encode.
Inspired by similar changes in BoringSSL.
ok inoguchi@ tb@
Diffstat (limited to 'src/lib/libssl/ssl_asn1.c')
| -rw-r--r-- | src/lib/libssl/ssl_asn1.c | 69 | 
1 files changed, 49 insertions, 20 deletions
| diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index 0ca442faa0..94fc8685fc 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_asn1.c,v 1.56 2018/03/20 16:10:57 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_asn1.c,v 1.57 2018/08/27 16:42:48 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2016 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -44,23 +44,16 @@ time_max(void) | |||
| 44 | return 0; | 44 | return 0; | 
| 45 | } | 45 | } | 
| 46 | 46 | ||
| 47 | int | 47 | static int | 
| 48 | i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) | 48 | SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, | 
| 49 | int ticket_encoding) | ||
| 49 | { | 50 | { | 
| 50 | CBB cbb, session, cipher_suite, session_id, master_key, time, timeout; | 51 | CBB cbb, session, cipher_suite, session_id, master_key, time, timeout; | 
| 51 | CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket; | 52 | CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket, value; | 
| 52 | CBB value; | 53 | unsigned char *peer_cert_bytes = NULL; | 
| 53 | unsigned char *data = NULL, *peer_cert_bytes = NULL; | 54 | int len, rv = 0; | 
| 54 | size_t data_len = 0; | ||
| 55 | int len, rv = -1; | ||
| 56 | uint16_t cid; | 55 | uint16_t cid; | 
| 57 | 56 | ||
| 58 | if (s == NULL) | ||
| 59 | return (0); | ||
| 60 | |||
| 61 | if (s->cipher == NULL && s->cipher_id == 0) | ||
| 62 | return (0); | ||
| 63 | |||
| 64 | if (!CBB_init(&cbb, 0)) | 57 | if (!CBB_init(&cbb, 0)) | 
| 65 | goto err; | 58 | goto err; | 
| 66 | 59 | ||
| @@ -87,10 +80,11 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) | |||
| 87 | if (!CBB_add_u16(&cipher_suite, cid)) | 80 | if (!CBB_add_u16(&cipher_suite, cid)) | 
| 88 | goto err; | 81 | goto err; | 
| 89 | 82 | ||
| 90 | /* Session ID. */ | 83 | /* Session ID - zero length for a ticket. */ | 
| 91 | if (!CBB_add_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) | 84 | if (!CBB_add_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) | 
| 92 | goto err; | 85 | goto err; | 
| 93 | if (!CBB_add_bytes(&session_id, s->session_id, s->session_id_length)) | 86 | if (!CBB_add_bytes(&session_id, s->session_id, | 
| 87 | ticket_encoding ? 0 : s->session_id_length)) | ||
| 94 | goto err; | 88 | goto err; | 
| 95 | 89 | ||
| 96 | /* Master key. */ | 90 | /* Master key. */ | 
| @@ -173,7 +167,7 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) | |||
| 173 | } | 167 | } | 
| 174 | 168 | ||
| 175 | /* Ticket [10]. */ | 169 | /* Ticket [10]. */ | 
| 176 | if (s->tlsext_tick) { | 170 | if (s->tlsext_tick != NULL) { | 
| 177 | if (!CBB_add_asn1(&session, &ticket, SSLASN1_TICKET_TAG)) | 171 | if (!CBB_add_asn1(&session, &ticket, SSLASN1_TICKET_TAG)) | 
| 178 | goto err; | 172 | goto err; | 
| 179 | if (!CBB_add_asn1(&ticket, &value, CBS_ASN1_OCTETSTRING)) | 173 | if (!CBB_add_asn1(&ticket, &value, CBS_ASN1_OCTETSTRING)) | 
| @@ -185,7 +179,44 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) | |||
| 185 | /* Compression method [11]. */ | 179 | /* Compression method [11]. */ | 
| 186 | /* SRP username [12]. */ | 180 | /* SRP username [12]. */ | 
| 187 | 181 | ||
| 188 | if (!CBB_finish(&cbb, &data, &data_len)) | 182 | if (!CBB_finish(&cbb, out, out_len)) | 
| 183 | goto err; | ||
| 184 | |||
| 185 | rv = 1; | ||
| 186 | |||
| 187 | err: | ||
| 188 | CBB_cleanup(&cbb); | ||
| 189 | free(peer_cert_bytes); | ||
| 190 | |||
| 191 | return rv; | ||
| 192 | } | ||
| 193 | |||
| 194 | int | ||
| 195 | SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len) | ||
| 196 | { | ||
| 197 | if (ss == NULL) | ||
| 198 | return 0; | ||
| 199 | |||
| 200 | if (ss->cipher == NULL && ss->cipher_id == 0) | ||
| 201 | return 0; | ||
| 202 | |||
| 203 | return SSL_SESSION_encode(ss, out, out_len, 1); | ||
| 204 | } | ||
| 205 | |||
| 206 | int | ||
| 207 | i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp) | ||
| 208 | { | ||
| 209 | unsigned char *data = NULL; | ||
| 210 | size_t data_len = 0; | ||
| 211 | int rv = -1; | ||
| 212 | |||
| 213 | if (ss == NULL) | ||
| 214 | return 0; | ||
| 215 | |||
| 216 | if (ss->cipher == NULL && ss->cipher_id == 0) | ||
| 217 | return 0; | ||
| 218 | |||
| 219 | if (!SSL_SESSION_encode(ss, &data, &data_len, 0)) | ||
| 189 | goto err; | 220 | goto err; | 
| 190 | 221 | ||
| 191 | if (data_len > INT_MAX) | 222 | if (data_len > INT_MAX) | 
| @@ -204,9 +235,7 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) | |||
| 204 | rv = (int)data_len; | 235 | rv = (int)data_len; | 
| 205 | 236 | ||
| 206 | err: | 237 | err: | 
| 207 | CBB_cleanup(&cbb); | ||
| 208 | freezero(data, data_len); | 238 | freezero(data, data_len); | 
| 209 | free(peer_cert_bytes); | ||
| 210 | 239 | ||
| 211 | return rv; | 240 | return rv; | 
| 212 | } | 241 | } | 
